#Port OpenHaystack as a FAP

Alrighty college apps are over and it's time for me to attempt to port openhaystack as a FAP with zero C knowledge

So I believe OpenHaystack replaced the bluetooth stack so this might be really tricky

Yeah after looking into it that is what it did

You could try to implement it using an ESP32 via GPIO

Yeah but the bulk it adds makes it impractical for actual use

which means, yes it could work

but you no longer are able to use the flipper app

The ble chip has a beacon thing

Which could be used but I'd have to look into that some more

Beaconing is not the same IIRC

Fair enough

you could certainly get the size smaller with something like this:
https://shop.m5stack.com/products/m5stamp-pico-diy-kit

very tiny

oooh

I will give that a try

https://github.com/Ocelot-Offensive-Security/Arsenal/blob/main/Amini/FlipperZero/README.md

this from #bluetooth

https://github.com/AlexStrNik/flipperzero-firmware/blob/dev/firmware/targets/f7/ble-glue/gap.c

https://github.com/seemoo-lab/openhaystack/blob/main/Firmware/ESP32/main/openhaystack_main.c

reference

Did you tried recomping with the oudated source and lib that firmware ?

I have compiled and installed the firmware but now I don't know how to get it recognized by the iphone

the outdated one rewrites the bluetooth stack which removes the ability to connect to the app

Yes that I thought too but now le'ts say I could select On and OHS or Off but when it is close to the iphone it does nothing

I was expecting to be able to reproduce https://twitter.com/verovaleros/status/1588197289608331264

oh you mean the iphone can't see the airtag

I believe the demonstration doesn't have all of the code they used released

you might have to look into how open haystack does airtag discovery

I'll be doing that soon when I get some time

@keen bay were you the speaker at eko?

https://www.youtube.com/watch?v=uXjfNtHvHQU

reference, although I don't speak spanish

thanks I will be curious

will attempt to watch this with the sub. in english

Hey sorry for the noob question but how can i install this ?

please

Did you compiled it yet?

i don't know how

But once installed, I am not sur how to run it

Did you read the how to on the guthub page?

no i don't see instructions

which link

Ok then I might have compiled something not useful to perform the poc. Could you try with changing these files ? https://github.com/Ocelot-Offensive-Security/Arsenal/tree/main/Amini/FlipperZero

I'm really sorry but i never compiled firmware sooo

That’s the firwmare I have compiled but it is not working out of the box https://github.com/AlexStrNik/flipperzero-firmware

did it using the c code above

@elfin flume I will do a video to show it

Epic thank you so much

But can i track the airtag with the ios apple app ?

no but I am not sure If I understood how the pairing is made

i don't think it's pairing

because the airtag have also nfc chip

nfc is used to link the airtag to an iphone if i remember

but i don't think that we need it

even for first paring ? because I have set bluetooth on and off from the FZ nearby the iphone with the wizard open but it didn't worked

uh yeah i don't really know sorry

maybe you can find docs onlie

no worries, I think our questions are in the video https://www.youtube.com/watch?v=uXjfNtHvHQU&t=1497s

nice

oh they are using a flipper cool

i need to do this ?

indeed

gather the gap.c from their project

you got it to work with Amini gap.c?

cool, so for pairing you need to go to the open haystack repo, they have an app that can generate a private/public key pair, throw that into the gap.c

then you can use openhaystack's app to track the "tag"

keep in mind you need a mac for this

the nfc they are mentioning is likely linking the private/public key to the airtag and to your icloud keychain so that you can actually know what tag is yours

may or may not be able to turn it into a fap so you don't need to recompile the firmware but I've yet to even receive a flipper so I can't test that

hopefully soon 🤞

thanks that what I thought from their repo. this might be too expensive for me to try right now 😄 May be I will be able to pick a laptop from a friend someday

can't wait to see what you will do with yours, for now, I am trying everything I see or I am curious on. I still need to dig further on some topic

same just gonna try a bunch of different things, you don't necessarily need a physical mac I don't believe, I'm currently using a VM on a laptop for bluebubbles and all icloud services work

i don't even think it has to be always on but I'm not super sure on that

I think just the key needs to be in the keychain

smart, but don't start me 😄 may be for another day, I had macOS virtualized but somehow at one point the vm crashed

😂 yeah vm macos does weird things a lot of the time, i've been trying to update to ventura for weeks lol

I gave you credits https://youtu.be/NIJL_ApJP-Y so I have followed parts I have described to @elfin flume

Merci le boss 👍

@gusty gulch yeap

@gusty gulch do you know how can i connect the flipper as an airtag to Find my phone app ?

1. Generate private/public keys using openhaystack process, for example.
2. Sniff the nfc registration data in 14443a protocol between a real airtag and iphone process.
3. Simulate the process using the key that you generated. And emulate the ble characteristics for the communication process as well. That could be the initial process according to my research

looks soooo easy 🤯

https://www.youtube.com/watch?v=IA6_Tw1Ov4E i'm not sure that it's using nfc for registration

maybe this can help ? https://github.com/positive-security/find-you

https://github.com/seemoo-lab/openhaystack/tree/main/Firmware/Linux_HCI
There is this too but you need to execute the command on the device you want to track

and i don't know how we could do this with the flipper

Following this https://adamcatley.com/AirTag.html

an unregistered air tag has a nfc tag url that contains specific data i.e. bt address, serial number

from what I can tell when you register your air tag it assigns a new url with a key(hashed?) and associates the public/private key pair with your icloud keychain

from that point on when any apple device receives the BLE packet with the public key find my will know to associate that with your icloud account

does that sound similar to your research?

it appears it would be possible to use the flipper to sniff air tag BLE packets, and emulate them obfuscating their location

I believe that what he did here https://twitter.com/tech/status/1595852945043619842

I mean like obfuscating wild air tags the video only shows iphones recognizing an unpaired one I think

my bad, yes I stuck prior in the conversation where you mentioned to capture first auth from an airtag.

Unfortunately I don't plan buying airtag anytime soon to test

Yeah same I would need both an iphone and airtag and I'm not dropping that much money

😂

Epic