Updated ESP32 Arduino to include advertisement type selection #25
Conversation
|
I'm able to make randomized addresses work with the ESP32 (I think) This is what I get in wireshark: I have an AirTag at home, this is what its advertisement looks like: I don't actually own any other Apple Device (except an iPod), so I cannot confirm if this helps spawn more notifications. Regarding advertisement type, I don't have any airpod-like devices on hand, so I've no idea. I will try and get my hands on some and see what values seem appropriate depending on the device. |
|
Btw this is where I added it (~line 149 in original code's main.cpp): // Set up the advertisement data
oAdvertisementData.addData(std::string((char*)data, sizeof(dataAirpods)));
esp_bd_addr_t dummy_addr = {0xDE, 0xAD, 0xBE, 0xEF, 0xBA, 0xBE};
pAdvertising->setDeviceAddress(dummy_addr, BLE_ADDR_TYPE_RANDOM);
pAdvertising->setAdvertisementData(oAdvertisementData); |
|
FYI: I've tried to randomize the device, source mac and also advertisement type in my toy repo: https://github.com/ckcr4lyf/EvilAppleJuice-ESP32 I've not yet tried it with iOS devices, will update if I get any noticeable results. |
|
Update: Randomizing the device spoofed + adv type + random mac works amazingly well Even with just one ESP-32 nearby iPhones go crazy. I will try and get a video as well. |
|
I just tested this with the iPhone X running iOS 14. It was mostly getting advertisements related to Apple TV. More specifically, most of the it notifs were about password autofilling for a nearby (nonexistent) Apple TV. So far it looks like spoofed airpods data is very stubborn with the iPhone X (or iOS 14). Nevertheless, this is good work! I've already forked your repo and I'm gonna try to implement more user features (i.e., spam only one type of Apple device advertisements with randomized MAC address) |
|
Nice! Glad to hear it. I tested it on an iPhone 14 Pro and an iPhone 11, both running iOS 16.6.1 , and they spawned all sorts of notifications. |
applexd.mp4 |
VID_20230915_193444.mp4Works great on iphone 7 using 3 esp32, each of them having a different adv type. |
Users can now select the advertisement type by changing the advType variable. There are 5 possible advertisement types:
This can be useful when dealing with devices that are stubborn in receiving advertisements. For example, I've discovered that my iPhone X running iOS 14 tends to respond more frequently when the AirpodsGen2 payload is being sent as an ADV_TYPE_SCAN_IND instead of ADV_TYPE_IND. Note that this still does not reproduce the denial-of-service behavior. My iPhone receives a popup notification for an unknown Airpods more frequently than when the advertisement was sent as an ADV_TYPE_IND but still not frequent enough that it can genuinely annoy the user. I still think this can only be pulled off on iOS 16 devices.
Fun fact: the Airpods Gen 2 actually advertises ADV_TYPE_SCAN_IND packets. The challenge is that the Airpods randomly generates a new MAC address whenever the case is opened (notice that TxAddress is set to Random). The spoofed Airpods advertisements from the ESP32 does not do this (the TxAddress is set to Public, which has a value of 0). This makes it hard to perfectly replicate a real Airpods' advertisement packets and make it readable by devices running iOS versions below 16.
I have tried changing the address type to random by using the setDeviceAddress() function in BLEAdvertising.cpp found in the ESP32's BLE library. However, this only results in the ESP32's advertisement packets not showing up at all in WireShark (it's not being detected by my sniffer). Hopefully someone out there knows how to get randomized MAC addresses to work on the ESP32.