nRF52, Amiibo, Voltage Glitch Attack and Apple Find My

date
May 18, 2024
slug
nrf52-amiibo-voltage-glitch-and-apple-find-my
status
Published
tags
nRF52
Amiibo
Hardware
summary
Recently, I purchased an Amiloop to and was amazed to discover that it used an nRF52832 chip. This device, costing a mere $2.50, boasts both Bluetooth and NFC functionality, demonstrating the cost-effectiveness of Chinese manufacturing. Further exploration revealed even more intriguing aspects. Not only can this tiny device emulate Amiibo, but it can also be flashed with Espruino firmware to function as a sensor, Bluetooth beacon, or even a simulated AirTag. It can even report data offline via Apple's Find My network.
type
Post
Recently, I purchased an Amiloop and was amazed to discover that it used an nRF52832 chip. This device costing about $2.5, boasts both Bluetooth and NFC functionality, demonstrating the cost-effectiveness of Chinese manufacturing.
Further exploration revealed even more intriguing aspects. Not only can this tiny device emulate Amiibo, but also be flashed with Espruino firmware to function as a sensor, Bluetooth beacon, or simulate AirTag. It can even report data offline via Apple's Find My network.

Emulating Amiibos

My family's fascination with Animal Crossing necessitates frequent use of Amiibo to invite villagers to their island. Researching available Amiibo emulation methods revealed several options:
  • NTAG 215:
      • At its core, Amiibo utilizes NTAG 215 tags. Pre-printed cards are readily available online, and blank cards can be written to using TagMo on a smartphone. These cost approximately $0.07 per card. The drawback is that these cards can only be written to once, necessitating the management of a multitude of physical cards.
  • NFC Protocol:
      • NFC Amiibo emulation options range from the aforementioned Amiloop/AmiiboLink, priced at around $2.50, to the pricier N2 Elite and PowerTag, which can cost hundreds of dollars. There's even a method involving 3DS emulation using HubSteven/3ds_ir. The underlying principle of these methods is to connect the device to a computer/smartphone via Bluetooth and write the desired Amiibo data. This allows for unlimited rewriting and currently seems to be the most efficient solution.
  • Bluetooth Protocol:
      • Since the Switch's NFC module is integrated into the Joy-Con, emulating a Joy-Con via Bluetooth allows for the transmission of Amiibo data by mimicking a legitimate controller. This includes using Raspberry Pi to emulate Joy-Con functionality with mart1nro/joycontrol. Unfortunately, due to open-source licensing issues, this feature was removed #80, requiring manual code reversion.
      Similarly, EasyMCU_ESP32 uses ESP32 to emulate a controller, but the firmware code is not open source. The author has written informative articles on Joycon emulation: ESP32 Simulate NS JoyCon and Pro, Compatible with Amiibo and Amiibo Fake.
      There's also a method using Android phones to emulate Bluetooth controllers, but it's limited to specific models.
      This approach can be cumbersome, as it requires controller-like pairing each time it's used.

Espruino

While browsing the AmiiboLink / AmiLoop forum post, I discovered that nRF52 can be flashed with Espruino.
Unlike Arduino, this project utilizes a JavaScript interpreter with a web-based IDE Espruino.com IDE, connecting to the device via Web Bluetooth through a browser. This eliminates the need for a data cable during development, making it even more accessible than Arduino. It even has its own "app store" EspruinoApps with some intriguing examples, such as detecting LED flashes on an electricity meter to calculate power consumption with Smart Meter and simulating AirTags with apps/openhaystack.
AmiLoop can function as a Puck.js Puck.js. Thanks to the configuration provided by DanTheMan827, GitHub Actions can be used to effortlessly compile the firmware.
Here is the firmware I compiled:
espruino_2v21.19_amiibolink.hex

Firmware Backup and Flashing

AmiLoop and AmiiboLink share identical hardware, allowing for cross-flashing of firmware. However, their respective apps for controlling Amiibo switching are not interchangeable.
The current factory firmware comes in two versions: v3 and v4. The v4 firmware enables nRF's APPPROTECT chip protection, preventing debugging and data dumping via SWD. However, this lock can be bypassed using a full erase command or a voltage glitch attack.
https://imgur.com/a/amiloop-board-K8Wp6Rp
Due to bootloader incompatibility, flashing requires SWD programming using DAPLink/CMSIS-DAP. The configuration file is as follows:
 
The OpenOCD/telnet backup/flashing/unlocking steps are as follows:

Voltage Glitch Attack

For nRF52 with APPPROTECT enabled, debugging and data dumping via SWD are disabled. A voltage glitch attack involves altering the chip's power supply at a precise moment, causing it to skip certain logic checks.
A YouTube video by Joe Grand showcases the use of a voltage glitch attack to recover $2 million worth of BTC from a cold wallet.
The video features a humorous moment where the seasoned hacker forgets to ground the device. Ultimately, his wife and children join in celebrating his success. It reminded me of my childhood, watching my father solder a radio with a soldering iron. Having a hands-on, tech-savvy parent is truly a blessing.
Video preview
 
For nRF52, atc1441 offers a more affordable solution with ESP32_nRF52_SWD, which utilizes an ESP32 and a MOS switch for the voltage glitch attack. It even features a webpage for adjusting the glitch timing. For increased attack success rates, removing two capacitors is recommended.
This brought back memories of playing NES as a child. On summer evenings with low voltage, the console would display glitched, mosaic-like visuals, inadvertently helping me bypass a challenging level in Metal Max.
notion image

Apple Find My and OpenHaystack

I mentioned Espruino's ability to emulate AirTags using OpenHaystack. I had placed a cheap Chinese AirTag alternative, AIYATO, in a package to track its location. The price was astonishingly low at just $3. While it can provide some location updates, it lacks the precision of ultra-wideband technology. For tracking valuables and pets, using genuine AirTags remains the better option.

Find My

The OpenHaystack project provides insights into the Find My network's workflow: An AirTag broadcasts its public key → Nearby iPhones receive the broadcast → iPhones encrypt their GPS location with the public key and upload the encrypted data and the public key hash to Apple's servers → The AirTag owner's phone decrypts the location data using their private key.
https://github.com/seemoo-lab/openhaystack
To prevent replay attacks and tracking via broadcasts, AirTags periodically rotate their public keys. This rotation is time-based, and if the device loses power and its clock resets, it utilizes a secondary key. Once the clock synchronizes, it resumes rotation based on the primary key. Based on observations, AirTags don't constantly broadcast location reports; they only do so after being separated from their owner for a certain duration.
Since only the hash of the public key is uploaded and the keys are rotated, it would be challenging to block OpenHeystack unless Apple abandons old devices and introduces a new protocol.

Sending Custom Data

This mechanism can also be leveraged to send custom data, allowing for the placement of sensors in offline environments for data transmission. dakhnod/FakeTag implemented a sensor that sends mailbox arrival notifications.
https://github.com/dakhnod/FakeTag
positive-security/send-my takes a more direct and ingenious approach, utilizing Apple's servers as storage. The sender encodes data bits into a public key, and the receiver checks the server for the presence or absence of the public keys, interpreting the results as 0s and 1s to receive the message.
https://positive.security/blog/send-my

Retrieving Data

OpenHeystack requires a Mail plugin to send requests to Apple's servers (similar to older versions of AltStore). However, Mail plugins have been deprecated in newer macOS versions. In testing, malmeloo/FindMy.py and hajekj/OfflineFindRecovery were able to successfully retrieve data from the servers.
If you simply want to access location history for Find My devices, fjxmlzn/FindMyHistory is a useful tool, although it can only retrieve newer data locally. Apple's servers store records for the past seven days.
It's important to note that while OpenHeystack utilizes Apple's Find My network, the devices will not appear in the Find My app. You can obtain the private keys for your bound devices from Keychain. FindMy.py/issues/4 provides instructions on extracting private keys from Keychain and the calculation method for rotating public keys.

Conclusion

nRF52 offers superior energy efficiency compared to ESP32, making it ideal for battery-powered devices. Its low power consumption, coupled with Espruino's user-friendliness, unlocks immense potential in DIY and IoT applications, particularly in areas like smart homes, wearables, and environmental monitoring.
Simultaneously, the OpenHaystack project offers valuable insights into the inner workings of Apple's Find My network while raising important considerations surrounding privacy and security. As technology continues to advance, nRF52, Espruino, and OpenHaystack are poised to bring forth even more exciting possibilities and innovations.

© likaci 2013 - 2024