Building AirTags from Scratch: Inside OpenHaystack's Reverse-Engineered Find My Protocol
Hook
A BBC micro:bit costs $15 and can tap into the same billion-device tracking network that powers Apple's $29 AirTags—no official certification required. OpenHaystack proved it's possible by reverse-engineering one of Apple's most guarded protocols.
Context
When Apple launched its Find My network in 2019, it created something unprecedented: a crowdsourced location system leveraging over a billion iOS devices worldwide. Every iPhone, iPad, and Mac with Bluetooth enabled automatically acts as a relay station, detecting nearby Bluetooth Low Energy (BLE) broadcasts from lost AirTags and uploading their encrypted locations to Apple's servers. The owner can then retrieve and decrypt these location reports to find their missing items.
But Apple's ecosystem is famously closed. Only certified accessories using Apple's proprietary chips could access the Find My network—until researchers at the Secure Mobile Networking Lab (SEEMOO) at TU Darmstadt reverse-engineered the entire protocol. Their work, published as OpenHaystack in 2021, exposed how the offline finding system actually works and demonstrated that anyone could build custom tracking devices using cheap, off-the-shelf hardware. This wasn't just an academic exercise; their research uncovered a security vulnerability (CVE-2020-9986) in Apple's implementation and democratized access to what may be the world's largest location tracking infrastructure.
Technical Insight
OpenHaystack's architecture reveals the elegant simplicity behind Apple's seemingly complex offline finding system. At its core, the protocol relies on elliptic curve cryptography using the P-224 curve. When you create a new tracking accessory in OpenHaystack, it generates an ECDSA key pair. The private key stays securely stored in your macOS keychain, while the public key gets flashed to your Bluetooth device's firmware.
The tracking device's job is remarkably simple: broadcast that public key as part of its BLE advertisement payload. The researchers discovered that Apple's offline finding advertisements use a specific format with manufacturer ID 0x004C (Apple's assigned Bluetooth SIG number) and a particular data structure. Here's what a minimal ESP32 firmware implementation looks like:
// OpenHaystack BLE advertisement structure
struct ble_advertisement {
uint8_t flags[3] = {0x02, 0x01, 0x06};
uint8_t length = 0x1B;
uint8_t type = 0xFF; // Manufacturer specific data
uint16_t company_id = 0x004C; // Apple Inc.
uint8_t offline_finding_type = 0x12;
uint8_t state = 0x00;
uint8_t public_key[28]; // Your P-224 public key
uint8_t hint = 0x00;
};
void setup() {
// Load public key from flash storage
load_public_key(adv_data.public_key);
// Configure BLE to broadcast continuously
BLEDevice::init("");
pAdvertising = BLEDevice::getAdvertising();
// Set advertisement payload
BLEAdvertisementData oAdvertisementData;
oAdvertisementData.addData(
std::string((char*)&adv_data, sizeof(adv_data))
);
pAdvertising->setAdvertisementData(oAdvertisementData);
pAdvertising->start();
}
When an iPhone running iOS 13 or later comes within Bluetooth range, it automatically captures this advertisement—no user interaction required. The iPhone then performs an ECIES (Elliptic Curve Integrated Encryption Scheme) encryption of its current GPS coordinates using the broadcast public key and uploads the encrypted location report to Apple's servers at https://gateway.icloud.com/acsnservice/fetch.
The clever part is how OpenHaystack retrieves these reports. Apple doesn't provide a public API for accessing Find My data, and the endpoints require specific entitlements that only Apple's own apps possess. The SEEMOO researchers discovered that Apple Mail has these entitlements because it integrates with Find My to show contact locations. OpenHaystack exploits this by installing itself as a Mail plugin (.mailbundle), effectively inheriting Mail's privileged access to Apple's private APIs.
The macOS application then downloads encrypted location reports, filters them by the public key hash, and uses the stored private key to decrypt the GPS coordinates. Each report includes a timestamp and location accuracy estimate. The decryption process uses the P-224 curve parameters to perform an ECDH key exchange, deriving a shared secret that unlocks the AES-encrypted payload:
// Simplified decryption logic from OpenHaystack
func decryptLocationReport(
report: EncryptedReport,
privateKey: P224.PrivateKey
) -> Location? {
// Extract ephemeral public key from report
let ephemeralPublicKey = try P224.PublicKey(
rawRepresentation: report.ephemeralKey
)
// Perform ECDH to get shared secret
let sharedSecret = try privateKey.sharedSecretFromKeyAgreement(
with: ephemeralPublicKey
)
// Derive encryption key using KDF
let symmetricKey = sharedSecret.hkdfDerivedSymmetricKey(
using: SHA256.self,
salt: Data(),
sharedInfo: Data("location".utf8),
outputByteCount: 32
)
// Decrypt the location data
let sealedBox = try AES.GCM.SealedBox(
combined: report.encryptedPayload
)
let decryptedData = try AES.GCM.open(sealedBox, using: symmetricKey)
return parseLocationData(decryptedData)
}
This architecture is brilliant in its asymmetry: the tracking device is dumb (just broadcasting a fixed public key), the iPhones in the wild do the heavy lifting (GPS + encryption), and only the owner with the private key can decrypt the locations. Apple never sees the decrypted locations, and the system works entirely offline from the tracker's perspective—it doesn't need internet connectivity or any active pairing.
OpenHaystack supports multiple hardware platforms by providing firmware templates for micro:bit (nRF51822), ESP32, and generic Nordic nRF51 chips. You can build a tracking tag for under $10 in components, flash the firmware with your generated public key, and immediately start receiving location reports anywhere there's iPhone coverage. The macOS app shows all your accessories on an interactive map with historical location trails, essentially giving you a self-hosted AirTag network.
Gotcha
OpenHaystack's biggest limitation is privacy—or rather, the lack of it compared to official AirTags. Apple's production implementation rotates public keys every 15 minutes to prevent tracking by random third parties. If someone with a Bluetooth scanner sits near your AirTag, they can't build a movement profile because the identifier keeps changing. OpenHaystack devices broadcast the same public key indefinitely, making them trivially trackable by anyone with a $5 Bluetooth sniffer. This is a fundamental trade-off of the simplified architecture: rotating keys would require the device to store hundreds of key pairs and implement synchronized rotation logic, which the researchers left as an exercise for implementers.
The installation process also requires temporarily disabling macOS System Integrity Protection (SIP) and Gatekeeper to install the unsigned Mail plugin. While you can re-enable these protections afterward, this opens a security window during setup and may make some IT security teams uncomfortable. Additionally, Apple could break OpenHaystack at any time by changing their server APIs or adding certificate pinning to the Find My endpoints. The project works today because it exploits undocumented behavior and inherited entitlements—neither of which Apple has any obligation to maintain. Finally, you're entirely dependent on Apple Mail being installed and running. If you use a different email client or Apple deprecates Mail plugins (which they've been slowly doing), the entire system stops working.
Verdict
Use OpenHaystack if you're a hardware hacker or maker building custom tracking accessories for personal projects—tracking camera bags, bikes, or prototypes in regions with dense iPhone coverage. It's perfect for understanding how offline finding protocols work at a technical level, and the educational value alone justifies the setup complexity. The ability to integrate tracking into custom form factors (sewn into jackets, embedded in 3D-printed cases) is genuinely unique. Skip it if you need production-ready tracking for valuable items, care about privacy (those fixed public keys are a real problem for daily use), require cross-platform support beyond macOS, or work in enterprise environments where temporarily disabling security features is non-negotiable. For most people, spending $29 on an actual AirTag gives you proper key rotation, unwanted tracking alerts, and a device that won't break with the next macOS update. OpenHaystack is brilliant research and a fascinating technical achievement, but it's a hobbyist tool, not a consumer product replacement.