How to find an iPhone when it’s offline

iOS 15 lets you find even a turned off iPhone: how it’s done and if there’s any danger

In iOS 15.0 There’s a new feature: iPhone can now be found using Find My, even when the iPhone is “turned off. How it works? Does the feature pose a security problem?

I noticed this feature quite a while ago on one of my iPhones with the beta iOS 15. Here’s a screenshot I took in July. The user experience has changed a bit since then.

In iOS 15, the phone can be found even when the power is off

I don’t understand what “iPhone can be found after power is turned off” means. It looks like “power off” no longer means the phone is “off”, the device continues to work and does some sort of short distance, low power data exchange. Not sure how to feel about it yet.

Always-on Processor (AOP)

There is very little public documentation about AOP. All of the chips and various embedded devices manufactured by Apple run a real-time operating system called RTKitOS. The AOP in the iPhone is no exception either. However, AOP has a special role. It connects almost all other iPhone chips. For some chips, it only performs simple tasks like power management, and for others, it’s used as a transparent proxy that wakes up iOS when necessary.

So a constantly on processor actually saves energy. iOS can go to sleep while AOP waits for hardware events. An example of such an event could be information from a motion sensor. The screen turns on even if you don’t touch any button on the iPhone.

A search on the internet reveals that even Siri is implemented in AOP. If you’re not particularly interested in the technical details, you can skip the rest of this section. You only need to know that the AOP also connects the wireless chips with their power management interfaces.

Most iOS kernel drivers have a simple structure. If RTKitOS is running in the chip, you can see it on the ioreg output. For example, Rose, a U1 chip based on the Ultra-wideband, is found on this list.

Even though it’s not in the iOS kernel, AOP implements a copy of these drivers. For example, the U1 range control has a redundant implementation that works without nearbyd and can be run in isolation in the AOP.

Even if the chip isn’t RTKitOS based, AOP can still connect to it. The Bluetooth chip in the iPhone 11, 12 and 13 is made by Broadcom and is based on the ThreadX operating system. Nevertheless, the iPhone‘s AOP has partial control over Bluetooth. Although it does not obey the same RTKitOS-based scheme, it can supply power to the Bluetooth chip using the spmi-bluetooth driver.

It’s worth noting that this is very different from the situation with the HomePod mini and Watch. They use an Apple-made Bluetooth chip codenamed Marconi. AOP can control Marconi with the marconi-bluetooth and aop-marconi-bt-control drivers.

Running the Bluetooth app when the iPhone is “off

All the iPhone needs to turn Find My on while the phone is “off” is a simple power control, and a Bluetooth chip capable of sending Bluetooth LE. What’s more, they require a secret key tied to the Apple ID on the iPhone.

Broadcom chips are very similar to Cypress chips. Cypress SDKs support external IoT applications requiring only a Bluetooth chip with no additional hosts. These applications run in the ThreadX thread called mpaf. Let’s check if there is a mpaf stream somewhere in the Bluetooth firmware. To do this, let’s download IPSW iOS 15.0, mount the largest file.dmg and go to /usr/share/firmware/bluetooth. Files.bin are the patches downloaded through the Bluetooth PCIe driver. Starting with iPhone 11 they contain several debug lines. By running grep mpaf. You can get this list of device compatibility.

  • iPhone 11 series, BCM4378B1 (Hei, Moana, Tala)
  • iPhone 12 series, BCM4387C2 (Almond, Cashew, Hazelnut, Pistachio)
  • iPhone 13 series, BCM4387C2 (Acacia, Camellia, Lilac, Mimosa)
  • iPad Air 2020 Series, BCM4387C2 (Pomegranate)
  • Some other iPad series, BCM4387C2 (Baobab, Boab, Rambutan)

The mpaf patch implements the lpm app. Its name probably stands for “low-power mode” and it implements the gatt Bluetooth LE service. All this can be found in strings and plonk discovered it before me.

These patches were added in iOS 15 and were previously missing. Their names correspond to the expected functionality. In this post I will not give instructions on how to analyze these patches, dump the chip ROM, etc.д. The strings are enough to make sure that this feature is implemented in the Bluetooth chip.

Is the content of the secret key bound to the U1 chip??

A little birdie told me that the phone writes a sequence of pre-computed cryptographic beacons to the UWB chipset, but the birdie is a poor substitute for the documentation

See also  How to record a video from the iPhone iOS screen

AirTag stores the contents of the key in the U1 chip. Apple called the nRF in AirTag “Durian” for a reason. The company doesn’t like or trust it, but it’s cheap and consumes little power. Most of the time U1 is in a sleep state and wakes up from time to time.

But the iPhone system is different. The iPhone stores keys in Secure Enclave (SE). One of the early U1 builds even had debug lines for exchanging key contents between U1 and SE, but they are no longer present in recent builds. So the birdie was right about the AirTag but not about the iPhone.

Passing the content of secret keys

After installing the debug Bluetooth profile on the iPhone 12 with iOS 15.1b2 idevicesyslog output before shutdown looks like this:

Sep 30 22:02:58 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:58 bluetoothd[89] Notice: BlueTool finished running “hci reset” command. output was “0x0e 0x04 0x01 0x03 0x0c 0x00”

Sep 30 22:02:58 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:58 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x06. » command — output was “decode: missing data”

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x06. » command — output was “decode: missing data”

Sep 30 22:02:59 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x06. » command — output was “decode: missing data”

Sep 30 22:02:59 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x06. » command — output was “decode: missing data”

Sep 30 22:02:59 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x06. ” command. output was “decode: missing data”

Sep 30 22:02:59 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x07 0x00 0x01» command — output was «0x0e 0x05. »

Sep 30 22:02:59 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «bcm.s 0x0f,0x00,0x02,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00» command — output was “”

Sep 30 22:02:59 BlueTool[126] Notice: Completed handling of dictionary-xpc event

Sep 30 22:02:59 bluetoothd[89] Notice: BlueTool finished running «hci cmd 0xFE62 0x04» command — output was «0x0e 0x05 0x01 0x62 0xfe 0x00 0x04»

Sep 30 22:02:59 backboardd(libEDR)[66] Notice: ScheduleSetBrightnessIn_block_invoke: enter WaitUntil late 0.126834 millisecond (333 / 333)

Sep 30 22:02:59 backboardd[66] Notice: brightness change:0.67814 reason:BrightnessSystemDidChange options:private

Sep 30 22:02:59 SpringBoard(FrontBoard)[62] Notice: Shutdown task «NotifyBluetooth» complete after 1.59s

Sep 30 22:02:59 SpringBoard(CoreUtils)[62] Notice: Invalidate CID 0x2B760001

Sep 30 22:02:59 SpringBoard(FrontBoard)[62] Notice: Shutdown tasks complete.

Sep 30 22:02:59 SpringBoard(CoreUtils)[62] Notice: Invalidated

Sep 30 22:02:59 bluetoothd[89] Notice: BT_FW_OK flag is set. Entering LPM.

Sep 30 22:02:59 bluetoothd(CoreUtils)[89] Notice: LPM entry took 1578ms

Sep 30 22:02:59 bluetoothd[89] Notice: Sending BT Stats to CoreAnalytics for com.Apple.BTLpmManagerStats

Sep 30 22:02:59 bluetoothd[89] Notice: PowerManager power state is 0

Sep 30 22:02:59 bluetoothd[89] Notice: PowerManager power state is 0

Sep 30 22:02:59 bluetoothd[89] Notice: PowerManager power state is 0

Sep 30 22:02:59 bluetoothd[89] Notice: PowerManager power state is 0

The last steps are repeated many times with the output of arbitrary numbers. These are beacons configurable in the Bluetooth chip so I cut them out of the post. Then at the end the Bluetooth chip says it goes into low power mode (LPM). Immediately after that, the iPhone “shuts down”.

Each Find My advertisement starts with 0x4c 0x00 0x12 0x19 and this byte sequence is also contained in the BlueTool output. A total of 80 messages are written to the Bluetooth chip.

Just in case you want to debug it yourself, the HCI reset is the last information visible in Apple PacketLogger, while idevicesyslog continues to display BlueTool output and commands.

Impact on security and privacy

New Find My feature allowed the general public to learn about AOP for the first time, as well as the Bluetooth chip’s ability to work offline.

Assuming someone has hacked your iPhone and is spying on you, it can and will show a “power off” screen, but will not turn off the iPhone. Never assume your device is disconnected until the battery has been removed from it, or better yet, it has been shoved into a blender. For example, the NSA hacked a Samsung TV and added a fake shutdown mode to spy on people.

The Find My protocol has a couple of interesting mechanisms to protect your privacy. It has been completely reverse-engineered and there is an open source implementation. over, the AirGuard app allows you to identify BLE Find My beacons in Android. If you’re concerned about leaking your locations through Find My, you can simply turn off the feature on your iPhone.

Keep in mind that other wireless chips also leak location information. Your cellular connection can locate you, and your cellular service provider can store your location history, Wi-Fi provides location leakage too (though MAC address randomization helps with that), and that’s not all. Whatever you do, a smartphone is a human tracking device. The privacy protection in Find My eliminates only one possible aspect of tracking out of many.

The scariest part may be that AOP and Bluetooth LPMs allow a new vector of malware permanently stored in the hardware.

See also  How to find someone else's iPhone via locator

How to use Find My to locate lost Apple devices like the iPhone

Preserving Timmy’s anonymity

The most important aspect of the system. you can’t let outsiders track Timmy, especially when he’s not lost. This rules out some pretty obvious solutions, like when Timmy’s device just screams: “Hi, my name is Timmy, please call my mom ROOT and let her know I’m lost.”. It also rules out almost any unchanging static identifier, even opaque and similar to random.

This last requirement is made up of the unfortunate experience of services that abuse static identifiers (like your WI-FI MAC address) to track the movement of devices. Apple is fighting this tracking with mixed success by randomizing identifiers like MAC addresses. If Apple adds a static tracking ID for “Find My”, all the problems will only get worse.

This requirement means that any messages sent to Timmy must be opaque. over, these messages must change relatively frequently to new values that cannot be associated with the old ones. One obvious way for the paired device to recognize such messages is to have Timmy and the ROOT agree on a long list of random “aliases” for Timmy, and have Timmy choose a different one each time.

It really helps. Every time Lassie sees some (unknown) device transmitting an ID, she won’t know if it belongs to Timmy: but she can send it to Apple’s servers along with her own GPS location. In case Timmy gets lost, ROOT can ask Apple to find all possible Timmy aliases. In this situation, no one outside of Apple will know the list, and even Apple itself will only know it after someone is lost, so this approach prevents most tracking options.

A slightly more efficient way to implement this idea is to use a cryptographic function (such as a MAC or hash function) to generate a list of aliases from a single short “seed”, copies of which Timmy and ROOT keep. It’s a good thing because it reduces the amount of data stored. But to find Timmy, ROOT still has to send all the aliases. or SEEDs. to Apple, which will have to search each alias in its database.

How to find a friend’s iPhone via Locator

Apple introduced the Locator app two years ago, but only now has it evolved into an advanced search tool. It allows you to find not only your lost iPhone, but even your MacBook, MagSafe wallet, Airpods, or third-party headphones. What matters is hardware and software compatibility, and what exactly will be searched for is not so important, even a bicycle. But not many people know that through the “Locator” you can find not only your device, but your friend’s device, whether it’s an iPhone, iPad, Mac, or something else.

Not only can you use Latitude to find your iPhone, but also the iPhone of a friend

Admittedly, you’ve already seen the “Help a Friend” button that appeared in the Locator app. Another thing is that few people have any idea what role it plays. And meanwhile, it removes one very serious limitation that allows you to find a device that is tied to someone else’s Apple ID account.

We’re talking about a login confirmation mechanism that comes to the trusted device and verifies the user. Logging into iCloud without it to locate the missing device won’t work. But, if you use “Locator” on your friend’s device, no verification is required.

How to find your iPhone if it’s turned off or dead

Two years ago, Apple re-released the Find iPhone app, giving it a new name and adding more features. It has learned to find not only the iPhone, but other devices, including those not released by Apple. With its help it became possible to find even lost headphones, a bicycle and much more. The iPhone, for example, didn’t even need to have an active network connection to be found. It was enough to put it into missing person mode remotely, as it communicated with the smartphones of people passing by, sending its location to its owner through them. It’s genius indeed. And now it doesn’t even have to be charged to find a missing iPhone.

Now you can find your iPhone even if it’s turned off or dead

In iOS 15.2 there was a special mechanism called Power Reserve, which allows the iPhone to give a distress signal for a few more hours after it’s fully discharged. To do this, the smartphone reserves a small amount of energy, so that it is enough to distribute the distress signal, hoping that someone will pass by and receive it.

This is so insignificant that you won’t even notice it’s gone. Apple hasn’t explained exactly how much power the iPhone is reserving, but it’s clearly less than 1 percent. Nevertheless, it will be enough to broadcast the signal to the devices of passing users via Bluetooth Low Energy for the whole 5 hours.

  • Go to the special page for managing your Apple ID account.
  • Click the Forgot Apple ID or password link.
  • Select Reset Password.
  • Enter the email address the ID is linked to.
  • Enter the 6-digit confirmation code that comes in the mail.

How to view your travel history

  • Open “Settings.”.
  • Go to “Privacy” (the icon with the white hand on a blue background).
  • Select “Geolocation Services”.
  • Scroll to the end of the list and select “System Services.
  • At the bottom of the list you will find the “Significant Locations” section.
See also  How to return to factory settings for iPhone

What’s changed

The Locator home page now has two tabs: Users (friends and family) and Devices (your gadgets)

▪️ there are three functions for each friend: view contact, build a route to them, and set notifications

You can set the name of the current geo position yourself

The first tab of the app shows the devices of your friends who have agreed to share their geolocation.

By selecting a user, you can see his exact location. Even the address will be written under.

You can share your geo location with other users directly in Latitude

You can also quickly create a route to a contact and see their index card right here.

Plus set notifications either for yourself or for a person: about leaving where you are, or vice versa. to show when your friend left, plus share your geo-position at a particular point in time.

Alerts depend on the user’s geo-position, and will be triggered upon arrival or departure from a specific location

▪️ In the Devices tab you can also remotely lock the device

The second tab lists all your devices. The design of this menu has also changed.

Here you can remotely play a sound, build a route to the device, notify when it is found, and mark the gadget as missing. And also erase your device or delete from the list.

If the device is found, you will receive a corresponding email with the exact geolocation

Note: deleting from the Find iPhone list is not accompanied by an additional notification. The device will disappear right away if you press this button, but will return after restarting the app.

“Locator in iOS 15 will learn how to search for discharged and reset iPhones

When Apple introduced “Locator” to find missing devices a year ago, it was a real sensation. No one has yet been able to make other devices to receive a distress signal from the lost, and then transmit information about its location to the real owner. But Apple didn’t stop there. After all, if you lose your iPhone, turn it off or deprive it of access to the Net, it will be impossible to find it, which was used by thieves or those who have found the device by accident. But now this will also be a thing of the past.

The Locator service will learn to find null and void iPhones

With the release of iOS 15 “locator” will learn to look not only disconnected from the Internet iPhones, but completely discharged. over, it will be possible to find a lost smartphone even after a complete data reset. Or rather, if you roll it back to its factory settings, it will retain some of the original information, which will make it easy to find in any case.

Find iPhone will work even if it’s turned off

When during a presentation Apple emphasizes that their product is one of the most secure in the world, the company is not lying. Developers are doing everything possible to reduce the theft of gadgets with the alluring apple logo.

So in mid-2010, the Find My iPhone or Find iPhone function appeared. With its help, the owner of an iOS device can remotely lock a lost or stolen device, send a message with a request for its return, delete data stored in memory, or find the exact location of your smartphone or tablet on the map.

But there is one “but”. all this can be done only when the iPhone or iPad is on. It is enough to disconnect the smartphone, remove the SIM card and the device is no longer detectable. This is due to the principle of Activation Lock technology and the Find iPhone utility. Exchange with the cloud service iCloud requires an Internet connection, which is provided by either the installed SIM-card or a Wi-Fi network.

And Apple has decided to go a step further, patenting a new way of operating the Find iPhone feature. It seems that the new generations of smartphones from the American company will learn to send data about their location even after a complete shutdown. The patent application refers to a new principle of the “anti-malfunction”.

So, the iPhone will periodically turn on itself and send location data. After which to go back to “sleep mode”. To equip iOS devices with such a function, Apple only needs to integrate an independent timer. How this solution will work on devices not equipped with GPS-module, Apple does not specify. [CoM]

Find iPhone feature in iOS 13 works without internet

In iOS 13, the company combined the Find Friends and Find iPhone apps into a single Find My.

The main innovation is the ability to find a lost iPhone that has been turned off without the Internet. The smartphone sends a signal via Bluetooth-beacon to another Apple gadget, which is located nearby.

This creates a local, encrypted network for finding a lost device. All data about the device’s location will be transmitted via another gadget connected to the Internet. [MacRumors]