How the Apple AirTags were hacked
HTML-код
- Опубликовано: 29 июн 2024
- On Saturday, I managed to dump the firmware of the newly released Apple AirTags - and in this video I'll show how I did it.
I won't share firmware dumps or so, so please don't ask :)
Links:
- Colin on Twitter: / colinoflynn
- Colin on RUclips: / @colinoflynn
- Colin's company: www.newae.com
- LimitedResults Appprotect bypass: limitedresults.com/2020/06/nr...
- LimitedResults Pocketglitcher: limitedresults.com/2021/03/th...
My links:
- Twitter: / ghidraninja
- Patreon: / stacksmashing
- Pico Debug'n'Dump board: gum.co/picodnd
Timestamps:
00:00 Intro
00:10 AirTags hardware
01:40 Debugging interface
02:35 Fault-Injection
04:30 Glitching the AirTags
05:50 Hardware Setup
07:10 Lets Glitch
07:56 Firmware modification - Наука
Next thing to do: Get the AirTag to RickRoll you via its speaker.
Yesss Please
That would be a very nice joke
This just won the internet!
Exactly my thoughts after watching this video.
Or have it open the rickroll youtube url via nfc
“Be careful when you try this at home” because I understand all of this technical stuff completely... haha. Great video.
@@francoisdang Just reported his post for 'Unwanted commercial content or spam'. Post gone (for me at least)! 😄
@@gh8447 Can confirm whatever you reported is indeed gone 🙃
I mean, they did all the hard work, and basically wrote a guide on what you need to do. So I'd venture many people could repeat this at home if they work on their soldering skills a bit!
I will definitely be trying this.
A little searching and you too can understand all the content in the video.
@@gh8447 which comment? What was it about?
I don't understand anything but I watched every second and nodded my head like it made sense
Because of the German accent? XD
@@centinstudios no, I dont understand circuitry at all
same here bro
Annnnd that was me as well…
This is basically a case of "security by obscurity". Nordic Semiconductor (nRF) engineers would say: "we never expected anyone to do that...". They could probably protect the next generation of chips by having some internal capacitance to make it harder to glitch externally.
The real skill show here is not your hardware hacking (which is REALLY cool).
The real skill here is the way you can simplify everything enough for most people to understand without sacrificing details for the ones that can appreciate it.
THIS is how you get more people into a field.
Keep sharing and encouraging people to follow up on their curiosities to find out how stuff work!
Thank you so much :)
It would be hilarious for you to go back into the Apple store and tell them your AirTags aren’t working only for them to get Rick rolled!
This is how you get kicked out.
good idea
@@spectraljake9056 That would be an honour. I've never set foot inside an Apple store, getting kicked out my first time would be the best
@@spectraljake9056 Would that be a permanent kicking out? Or just to leave for the day?
@@colt5189 they can’t force you to give them your name. They can probably take pictures of you though.
Apple: "The AirTags are totally safe."
Stacksmashing: _"Hold my Raspberry Pico."_
Right? He's like "normally you would use an FPGA" and throws a Raspberry Pi Pico at it.
I mean, your airtags are safe unless someone physically gets their hands on it, breaks it open, solders wires to it, etc. The airtag is still safe from remote hacking
@@kylemwalker yes, this is way outside the threat model. Air tags are still safe in the sense Apple meant :)
Unless you don't own an Apple device with which to use their warning thing. Then they're a stalker's wet dream, and frankly criminally negligent to release.
@@keiyakins I’ve done some quick reading and it seems you’re right, the current firmware leaves a fair bit to be desired. Hopefully they fix this. It’s worth noting that I can buy a 4G-enabled chip that could do something similar with zero restrictions for not a lot of money from aliexpress.
I'm not involved much in hacking but that skip of the debug check with the voltage is mindblowing to me. Didn't know this was possible, and didn't know that people implement a debug mode like that in such chips.
Have a look at security testing if hardware under the Common Criteria
Very common in embedded devices, wanna see more of this voltage glitching action, search for "How I hacked a trezor wallet worth $2 million.
5:01
Other channels: Don't try this at home!
Stacksmashing: Be careful if you try this at home.
That's because the justice system in USA is so messed up that you have to include silly disclaimers and warnings on everything. The rest of the world developed in a different direction. If you screw up, it's your own fault and and can't sue anyone for it. The best thing you can do is to look in the mirror. In America though... oh it got pretty wild and that's why the "don't try this at home" slogan even exists.
I am continually blown away by your videos, how you lay everything out so clearly, and the skill with which you do all that you do. I strive to be able to do things like this. Great work, man!
Thank you so much! I'm glad you enjoyed it :)
Hah, funny seeing you here! Love this guy's videos too :)
@@esotericsean hey Sean do you not create videos anymore on RUclips? Loved some of your original vids.
@@CMAC86 I plan on returning soon! Just had some big (really good) life changes this past year :)
@@esotericsean @James Reaction @ stacksmashing
Wow.I am seeing one great youtuber loving videos of an awesome youtuber who is blown away by other mind blowingyoutuber. You three are awesome.You are providing amazing content.Love you three.
Every new video of yours potentially extends lifespan of these devices by a lot. Your research is ground breaking every time!
I'm actually pretty surprised that I understood most of this, I've got very limited hardware / low-level experience. Awesome video!
Saw your tweet and was impressed, watched your video and I'm in awe. Good job, man!
All the way through this video I was thinking "This is cool, but what's the use?" 8:03 answered that question beautifully :D
I think it's a little obvious you can spy on someone and not get their information .... hahaha
Still no clue.
Iphone users will buy anything.
@@TheDanm22 nah, you just believe they will.
@@RadDadisRad you are 10ply.
In Apple headquarters: *nervous sweating*
Cant wait to apple to make a v2 wich is glued down
Love the brute force loop - automating the grind out of the fun, smashed it.
You're like the NileRed of hardware hackers, I'm almost done with my 2 year degree in Cybersecurity and this video is teaching me a lot.
Now that's a compliment! Thanks! Glad you enjoyed it!
Concise, informative and entertaining...what more can we ask?
Never considered doing this myself, but just the _idea_ that this works is both extremely entertaining and rather educational 😄
I don't even know why I'm watching..... But I am.. 😅
maybe to react to it😂
I know exactly what you mean. Let me tell you why you're here. You're here because you know something. What you know you can't explain, but you feel it. You've felt it your entire life. That there's something wrong with the world, you don't know what it is, but it's there. Like a splinter in your mind, driving you mad. It is this feeling that has brought you to me. Do you know what I'm talking about?
Kinda weird how people automatically like a comment from a verified person without having a single reason to
Let’s you know what can be done and how they do it. Your iPhone security if they have direct access they can use these techniques to find what on the phone although would take much longer to do and probably are other better ways in but just another tool in the tool box
@@__Pre or they genuinely like and agree with the comment? 😑
This is simply satisfying to watch. Great work (and I really appreciate people mentioning sources). Way to go!
I just saw Hak5 coverage for this and was looking for the video! Great timing and good job.
Bitcoin Mining on AirTags incoming
This is the way
@@inkybz but not my phone please
@@inkybz Yet another reason I like that Android gives you the option to turn off NFC.
@@inkybz botnet sure, mining cluster would be useless. Phones are a terrible choice for miners.
@@Adaephonable Yes but if you place one of this airtags at an airport or so you can get a lot of phones and this can add up. One phone isn't gread but 1000 or 10,000...
Learned more about reverse engineering than any of my classes, thanks!
Due to the RUclips algorithm I found your channel and am I sure glad I found your channel. The stuff you do is just so interesting
I'm too
You got featured at "TechLinked" in the "If you cant buy a graphics card" episode at around 4:20 ... noice.
Ohh cool, thanks for letting me know! :)
@@stacksmashing yeahhh Techlinked got me here
Definitely looking forward to getting one of those pico based tools. You are awesome! Thanks for sharing all of this with us!
You did an amazing job explaining what you did and with my background understood completely. Great video!
Fantastic video. Your explanation of the chip and attack was extraordinary. You made a complex topic approachable.
I read an article on Ars technica about this and couldn’t wait for the video.
Fantastic job dude ! Too much experience went into this short explanation
Nice job man, already really enjoy your Twitter feed, looking forward to what we can further get out of this!
Absolutely phenomenal video as usual. Love your channel so much!
Wow. Amazing work! Had been watching your videos for a while now, this gave me a great reason to subscribe and follow your work! Great job!
Whenever I see you upload, I konw it will be fun entertaining and a bit out of the ordinary.
Things like these are why I'm studying electronics. Great work man!
Studying Electronics is supper fun.
There is a thing called brown out reset. You can check for that flag during the debug lock procedure. If the flag is risen at all :) Great video and a presentation, thank you!
Nice work! I tend to avoid all products designed in Cupertino because they tend to only function with other products designed in Cupertino, but now it might be worthwhile thanks to you!
Well that took like a week. Very cool.
As always, amazing content! I'd say that a more in-depth video would be nice, but this seems fairly simple. Not easy, simple! It would be a long time until I could pull something like this off but you do a great job of explaining your process.
Actually, a video on reversing the firmware might be neat!
I understood absolutely everything you explained with basic electronics understanding. Very clearly explained and described.
This is so cool! I am excited to see how people utilize this to incorporate airtags into their own projects
You have immense skill. I'm glad you share it :)
You explained the concept so elegantly that it made me realize the RGH (Reset Glitch Hack) hack for the Xbox 360 used a very similar methodology to achieve code execution.
You never give up, and you never let me down.
I occasionally read through the "discovery" page on my phone (that page on android shows me targeted news) and yesterday while pooping I read the title "somebody has already hacked apples airtags"...should have known it'd be you.
I did it ages before you but don’t show or accept praise
I have no idea what Airtag is, i have no idea what you were talking about, but i watched the whole video from start to finish and it was mesmerizing!
Man you are a Genius!!!!, this video was great.
I only understood 5%, but I watched all.
Congrats.
Great Video!
I especially love how pretty much all of your recent hardware hacking videos can theoretically be replicated if you just have a Raspberry Pi Pico, some level shifters, and a breadboard.
I haven't tried any of it yet (and to be frank I don't understand too much about low-level electronics, my understanding more or less starts at logic gates), but the fact that it doesn't need super fancy equipment makes it so much more accessible!
Haha thank you! It's funny, cause at first I was like "Why do we need Pico", and now I love it.
And I think it's important to show that you don't need the highest-end devices to do cool things!
Now all that is left to do is amplify the nfc so you can rickroll everyone in your surroundings
what kind of VILE, UNSPEAKABLE EVIL CREATED YOU, MONSTER?
Is that even possible? lol
@@WalterMan yeah i'd like to know too
@@kenopyowo probably not, probably wouldnt be legal either. Too much of a nuisance
@@WalterMan absolutely not, NFC is powered/initiated by your phone not the device itself
I really have no idea what you said or did but the idea of jailbroken air tags is really awesome and i can't wait to see what people do with them
Oh, that Debug'n'Dump board looks niiiiice! 😍
When you talked about the rickroll part I laughed out loud. Amazing man, thanks for making this.
Nicely done! One of the many things I would like to reproduce one day :D
Yeah we would all like to reproduce someday
You're really good at explaining stuff.
Thank you :)
Thanks for showing your "draft soldering", now I know it's not just me!
Can’t wait to play doom on an airtag
nah skyrim would be released before doom
I'm a computer engineering student and I'd love to get better at understanding hardware hacking. Your explanation of "glitching" was really good. Is there any resources or other videos I could check out to learn more about hardware hacking like this?
Look at the sites this guy reccomends.
Do the same for them. Eventually you have a bank of experts you can trust and learn from.
There's also a bunch of good stuff in whatever-number-C3 talks. Notably ones revealing some new flaw found in some game console to allow homebrew often contain some serious hardware hacking talk. "Nintendo Hacking 2016" and "Console Hacking 2016" come to mind, and tend to be a mix of super low level hardware hackery such as MITMing a PCIe bus or using external hardware to dump RAM chips of a live system, and software analysis.
@@joemck85 I remember seeing one of those talks in hackaday a while back, but never thought about the nC3 thing, until now that I didn't understand the reference and had to look for, simple details silly me 😆
I’m not sure what just happened but I liked it. Great job !
I didn't understand a thing but I subscribed just because of the amount of time you must have put in to this video!
Just wait til they start filling the casing with resin now.
"So be careful when you do this at home"
I'm not even rich enough to get a TAXI to a Apple store
underrated
nice work, combining all the tools!
Was not interested in this area, but you did really good job and now I have some ideas what I could do, thank you
Holy crap, youve earned a sub.
let's hope that RUclips will not delete your video aas they did with the "Nintendo Game & Watch" one.
One giant corporation shielding another giant corporation while lawmakers bow down before them…we really live in a dystopia
it's on my PC btw
You know it's just a matter of time.. a gang of mealy-mouthed so and so's.. use youtube-dl, yt-dlp etc.. to preserve it offline.
What was wrong with it?
@@gamechep, Nintendo got RUclips to take it down. Nintendo generally don't want people hacking their hardware and will gladly harass, lodge DMCA requests for the mildest of reasons.. In this case, the Game & Watch hacks were a full dissection of the device, at a software and hardware level, greatly extending the device's potential and use.
This is great, I'm looking at flashing the TG7100C. This showed some concrete examples of what I was reading about-Thanks!
I didn't understand like 90% of the video but nice job, mate! I love your work
gonna watch this before its gone :D
This is WILD! Congrats for your job man
This was awesome man! New subscriber ✌🏻
Wow :D I'm new to this. Learned so much in a brief 8 mins. of your talking :D Thanks!!! Subbed!
C•r•y•p•t•o = i•n•v•e•s•t•m•e•n•t
W•h•a•t•s•A•p•p =
N•u•m•b•e•r•s = +1 (5•1•6) (4•7•6)‑(8•0•3•4)
best channel ever
I LOL’d at the Rick roll part. Absolutely genius. I love it all.
This is pretty cool. I didn't even know Apple Airtags were a thing. But i think it's pretty neat you were able to hack them and i can imagine you can have a lot of fun with these. I wonder if you can write a program to wirelessly program them now.
I have no idea what you just did, but i loved the video!
I've read about this. Gut gemacht!
I find it comedic that apple released a product that’s being used as more of a test board then it’s actual intended purpose
awesome summarz of your work, thank you!
I kinda understand the logic and programming and circuits, but I have no clue about how to get from zero to that point. Amazing video!
Your videos are extremely overwhelming🙂
Very good work! I wonder about what the apple IC is doing in there, considering the NRF is already an onboard microcontroller and it doesn’t exactly need tons of processing power.
UWB - Ultra WideBand radio. I won't explain what it is and how it works, but the AirTag and compatible devices use UWB radio to measure how long it takes radio signals to travel between the devices - i.e. "Time Of Flight (TOF)". This allows the devices to measure the distance between themselves.
Great video and amazing work! Greetings from Canada!
Brilliant piece of experimental work.
Very nice! I'd love to see someone build a "jig" that you can just place the airtag into to jailbreak the device without having to solder to the pads, like a modchip. Also is that an external antenna port I see on the PCB?
"Please be carful while trying this at home" - Got your sarcasm
Im not a hacker but keep doing what you do man, people like you in the end do magic to the world of tech! Also even i understood the video, you are a born teacher!
I learn a lot of things, thank you, very interesting 😀
When they tell you to turn it off and on again and you enable debugging mode instead xD.
Lets count how many hours it take for apple to send a false copyright strike
They won’t. The backlash would be a nightmare for PR.
@@NextLevelCode ninndo does it all the time, every time the see a modding video
@@weshuiz1325 Nintendo is a small company (relatively). Believe it or not gaming is not main stream. Apple, Google and Facebook get much larger masses up in arms. And attention from the senate about this stuff.
Apple is also under a lot of scrutiny right now by multiple governments. I highly doubt they would do anything like that at this time.
@@NextLevelCode never say never
CONGRATS ON 100K SUBS YO!!!!!!!!!!
Thanks for explaining this process. I have always wondered how a hack like this is performed - so clever! Well done mate ✌
Apple: "New for 2021, we are releasing these homing devices to keep track of your location at all times. But don't worry, they're totally safe."
if you don't happen to have an android
because if so well get stalked by people that just slip it somewhere lol
i didnt understood anything :(
but this was cool:)
huh he expains it SO clearly
@@maicod if it's not your field of interest, you still won't understand. I have no clue also, but understand that it's well explained. 🤣
@@BradK02 ok you got a point there
Invest more skill points in IQ
your skills are exceptional! cant wait to try this on my airtag :)
This is great channel, you have my subscribe!
This is was great too learn about! What would you use a hacked/jailbroken AirTag for?
The first time i saw it i thought.....hmmmm free data :)
Start deploying IOT data that gets delivered for free?
As someone who've designed multiple PCB, I must say I'm impressed with the voltage glitching technique. I've never heard of that and I wouldn't have thought of this to make the ucontroller jump instructions. Great video!
Entertaining Thomas! Great Work!
this video was lit af, thanks for the content
Ready to Rick-Roll people!