Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
stacksmashing Profile picture
stacksmashing
@ghidraninja
Security researcher with a focus on hardware & firmware. I occasionally publish stuff on YouTube. Co-founder of @hextreeio. Contact: contact@stacksmashing.net

May 7, 2021, 20 tweets

Continuing the tweet-chain of @colinoflynn on AirTag hacking, we will look at the flash contents now!

Similar to most Apple embedded devices, the AirTags also seem to run RTKit... And this is where it gets interesting: It's a DEBUG build - debug builds have more functionality, and sometimes more logs & co - this is good news!

/cc @naehrdine

Also looks like the firmware for the U1 DSP is on the flash, as you can find a ton of AArch64 instructions

Next step: Dump the rkos images contained in the firmware...

Using ftab-dump (github.com/19h/ftab-dump) it's as simple as this 😀

Looks like both rkos are identical - maybe a recovery/fallback version?

Ohhh, what do we have here? This looks a lot like it might be an nRF52 firmware, which is the microcontroller used on the AirTag!

Hmm too bad, looks like it's just a reset vector, not actual firmware :)

Also here's the entropy graph of the whole thing, looks like nothing is encrypted :)

I still remember when I first saw this Apple note - in the firmware images of my 3rd generation iPod when I just got started with hardware/firmware reversing 😀

Well hello there, nRF52 firmware🥸

(If someone close to Stuttgart has too many AirTags and can spare one.. hit me up 👀)

Found a SHA256 implementation in the firmware, slowly trying to get an overview

For those playing along at home: Loaded the firmware starting at 0x28D000 into Ghidra, loading offset seems to be 0x1c000 - guessing that there's a bootloader in front of that?!

Then used SVD-Loader to load an nrf52 SVD I found - it's not super detailed but gets the job done

Looks like this is the function that generates the "I found a tag" URL:

Sweet, picking some tags up in an hour, that should be fun😬

That raw talent: Buy something and IMMEDIATELY brick it -.-

And found the SoftDevice firmware used on the AirTag - thanks for the hint that it's at the beginning of the flash @JAlDhalemi :)

As so often I’m stuck in writing tools: this time a dual SPI analyzer that gives me the data in the format I need :)

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling