Issue with IOS 17

[shiprec]

Are you all seeing reporting issues from devices that have upgraded to IO17? I haven't seen any updates come through since my phone upgraded but when I go back to 16 it works fine.

[humpataa]

iOS 17.4 beta 2 still no difference.

[shiprec]

I sent the updated test request to the manufacturer but they wont get to it till after CNY holiday (they are back Feb 17th).

[biemster]

I am 100% sure it is one of the following problems:

• iOS17.x does not send report packages at all OR
• report packages from iOS17.x devices are not stored correctly on server OR
• server does not send out reports originating from iOS17.x when requested by FindMy app

Did we exclude iOS17 sending out something different than just the hashed advertisement key? Maybe openhaystack reversed version 1 of the protocol, and iOS17+ is doing something fancier now? (although this would mean that the FindMy app on macOS should also have switched to the new protocol. We definitely need more network captures, both from macOS sonoma+ and iOS17+, real proper airtags, 3rd party airtags and clones)

[malmeloo]

I was thinking it might not work due to there being no key rotation. Maybe iOS 17 will only generate reports for a certain device for up to x hours as an anti-stalking measure? That would greatly reduce the number of reports generated while the tag is stationary, while not really affecting it while in movement. It would also explain why official/3rd party tags are unaffected.

I live in fairly densely packed student housing. The tag in my backpack has been stationary a few times over the past week, but it was still actively generating reports. Almost no reports have been generated at night time, yet it's still mostly the same people that are in my area. In fact, I'm willing to bet there's more people here at night than there are during the day, but phones do move in and out of range less often.

If statcounter is anything to go by, the market share of iOS 17.x in my country is around 70%. But during those stationary periods I'm frequently seeing 3-4 reports within the same minute, so they aren't generated by the same phone. I'm guessing there are around 10 neighbours in bluetooth range of my room, so if you factor in the number of android users as well, it seems rather unlikely that 17 isn't generating any reports at all.

If I get around to it this week, I'll try to build some firmware that does rotate keys, and does so during the night. If that results in a spike of generated reports, it might just be the reason we've been looking for.

[biemster]

Yeah that crossed my mind as well, if an iOS17 device sees the same key more than 15 minutes apart (the rotation interval, which I learned from you, great stuff in your repo!), it could deduce it's a fake tag and not report it.

[humpataa]

It would also explain why official/3rd party tags are unaffected.

As far as my tests show it does affect all devices, original, certified and fake tags.

Apple has released data that currently around 66% of all iPhones already have iOS17, 53% of all iPads have iPadOS 17. This is still enough to keep the network running, but interval and accuracy getting worse every day.

Playing around almost every day with tags for the last months I have noticed that the distance of these little things is quite surprising even indoors. So making the problem visible really needs a quiet area.

Yeah that crossed my mind as well, if an iOS17 device sees the same key more than 15 minutes apart, it could deduce it's a fake tag and not report it.

That would mean that iOS17 always waits until a device changes its key before reporting it ... no way, I don't think so. Key rotation is important for stalking detection only I believe.

[Itheras]

It seems there is a disconnect here. I have mentioned my test. I live in a pretty rural area where i have control of the phones exposed to the tags. official/3rd party tags are also affected i retested and tested ios 17 does not report clones or official 3rd party tags while on lost mode. I tried 3 different types from different vendors all 3rd party official none work correctly on ios17 only 16. They seems to work until they enter lost mode.

Sorry didnt see @humpataa response but he is right it affects all tags it seems. I have tested on both fake and official. Also key rotations is just for ble sniffers.

[biemster]

Thanks @humpataa and @Itheras , this thread got a bit confusing even for people that read everything. So to conclude:

@humpataa tested

1. the $29 official airtag
2. the $4 3rd party tag
3. and the $1 openhaystack cloned tag
4. did you maybe also look at network captures?
5. Conclusion: with only iOS17 nearby no reports can be retrieved with either the FindMy app (1. and 2.) or the python script (2. and 3.)

and @Itheras tested

1. the $29 official airtag
2. the $4 3rd party tag
3. and the $1 openhaystack cloned tag
4. network captures on sonoma, no reports sent to /submit for either 1. 2. or 3. in lost mode (but it might be that only iPhones and iPads use this anyway)
5. Conclusion: with only iOS17 nearby no reports can be retrieved with either the FindMy app (1. and 2.) or the python script (2. and 3.)

@ngxson also mentioned much less reports with the $29 official airtags.

[malmeloo]

The broadcasted rotation interval is actually up to 24 hours, as the tag latches onto either the primary or secondary key until 4 AM when it becomes "lost". My "unaffected" claim was worded incorrectly as it would still affect official tags, just to a lesser degree as the effect would be reset the next day. But @humpataa and @Itheras' experiments (which I completely missed somehow, sorry!) do indeed rule that option out, as that would still generate at least some reports.

At the same time I find it hard to believe that this could be an issue on Apple's side, as they would presumably monitor this kind of statistic? Maybe not per iOS version, but the total number of generated reports dropping by at least ~50% does sound like something they would notice. But that's just speculation on my part.

[humpataa]

At the same time I find it hard to believe that this could be an issue on Apple's side, as they would presumably monitor this kind of statistic? Maybe not per iOS version, but the total number of generated reports dropping by at least ~50% does sound like something they would notice. But that's just speculation on my part.

Well, it would be hard to notice if the "finder report packs" are send to Apple's server with iOS17 as usual, but either don't get stored properly or not send out properly when requested. It's practically invisible: not noticeable less reports stored, not noticeable less requests, data stored and transferred – useable or not.

It IS hard to believe that it really IS Apple's fault. But a few people have done quite a lot of tests and and LOOKS like it really is Apple's fault. I have tried to watch traffic, but it's not easy to do so. I have also made many attempts to exactly copy the advertising of an original tag ... offering services, setting the state bits, hint byte, type of advertising ... I don't know if I did it all right, but it had ZERO impact on the reports. I believe nothing has changed to the protocol (the docs haven't changed), I don't even think iOS17 is "more picky" when looking for tags, I agree with @biemster: it looks like a server side issue.

I have also asked people in several forums to recreate the issue, but it's hard as well because you not only need at least one iPhone with old iOS, an AirTag of a friend who is not at the same place and watching his Find My app, but a rural area without someone interfering. Beside filing bug reports I have tried to make contact with Apple through my MFi developer account, but have not received any response yet. Guess we just have to wait.

[malmeloo]

Well, it would be hard to notice if the "finder report packs" are send to Apple's server with iOS17 as usual, but either don't get stored properly or not send out properly when requested. It's practically invisible: not noticeable less reports stored, not noticeable less requests, data stored and transferred – useable or not.

That's a good point, I hadn't considered that yet. Luckily though, at the current adoption rate it probably won't take long until they're forced to take a look at it.

[humpataa]

iOS17.4 beta 4 (developer): no change.

The quality of the FindMy network is getting really bad now, must be noticeable at Apple's end.

Added later ... interesting thing I have noticed lately: I was using an even older iPhone 6s with iOS15.7.x because it was sending "finder reports", my tags (original & fake) got updated whenever I switched the phone on. It was useful for testing while playing around with key rotation and stuff.

Recently I updated it to the latest version available for this old brick: 15.8.1 released end of January. Suddenly, it does not work as a "finder device" anymore! I am not sure which version was installed before, something from 2022 I guess – definitely way before iOS17 was even announced. Apple's version history does not state any changes to MFi (FindMy) in particular, so it is unknown when exactly iOS15.x stopped working as a "finder device". My iPhone with iOS16.7.4 (released shortly before Christmas 2023) for sure works as a "finder device" – I will not update it!

This made me wondering when exactly iOS17 introduced "the problem": possibly with version 17.2 (released early December 2023). The version history at least mentioned changes to "Find My" ... so did this unintentionally screwed up the network? Does this coincidence with first reports about trouble we now all witness?

[JayFoxRox]

The version history at least mentioned changes to "Find My" ... so did this unintentionally screwed up the network?

There isn't too much info in CVE-2023-42922; maybe @r3ggi can provide some more info about what the issue has been, or if it could be related to findability (reduced number of reports) of airtags with constant (non-rotating) keys in lost mode?

---

I believe I also saw forum posts about official airtags getting fewer reports in sharing mode (where you share the location of an airtag with someone else). Maybe that's something better to report to Apple?

[ngxson]

I believe I also saw forum posts about official airtags getting fewer reports in sharing mode (where you share the location of an airtag with someone else). Maybe that's something better to report to Apple?

Same here! I have an airtag (the official thing) shared by my friend. I see that it updates much less often than before iOS 17.

Before, when I was on iOS 16, I got update every 2-6 hrs, it's never more than 24 hrs. Now it takes days (as I'm writing this comment, the last location report was 1 week ago).

[Itheras]

The version history at least mentioned changes to "Find My" ... so did this unintentionally screwed up the network?

There isn't too much info in CVE-2023-42922; maybe @r3ggi can provide some more info about what the issue has been, or if it could be related to findability (reduced number of reports) of airtags with constant (non-rotating) keys in lost mode?

I believe I also saw forum posts about official airtags getting fewer reports in sharing mode (where you share the location of an airtag with someone else). Maybe that's something better to report to Apple?

I want to point out this has nothing to do with key rotation or anything of that sort. It affects all devices that depend on the findmy network. “Oficial, 3rd party, Or OHS they all have problems is separated mode.

[humpataa]

iOS17.4 RC: issue not fixed.

@shiprec you can use any AppleID for requesting any reports as long as you have the keys. The AppleID (iCloud) is only needed for encryption of traffic, Apple "items" (such as real or fake AirTags) are not bound to a specific AppleID.

[acalatrava]

The other day one of my official FindMy tracker (Chinese one) went rogue and my iOS 17 iPhone started reporting it as if it were not mine. It alerted me that a device was tracking me.

So with this I can confirm that, at least, iOS 17 actively listen to the beacons… Not sure if it’s proxying them to Apple servers though.

[humpataa]

Yes, I have noticed that as well: iOS17 does recognise when unknown AirTags are "following". At least THIS seems to work. We've made another test 3 hours in the woods yesterday. Carrying 4 AirTags (2 original, 2 official clones) plus 1 fake tag. Not a single update for any of the devices – and we've even had at least 50 people passing! All without iPhones? Rather unlikely. A few with iOS17 not doing their "job"? More likely.

I have summed it up for asking others how to check / recreate the issue. It is actually not that hard:

• needs two iPhones with different AppleIDs and at least one AirTag, make sure there is internet
• bind the AirTag to one, let it be unknown to the other running iOS17
• turn off bluetooth at the AirTag-iPhone, turn it on at the iOS17-iPhone (via settings, NOT quick options)
• take only the three devices to an area without anyone else interfering (rural)
• watch updates in Find My App on AirTag-iPhone: it will never change

Since the iOS17 is supposed to send whereabout reports to Apple's server this shows that it doesn't. Or the server is not storing the information properly. Or not sending it back out when requested by Find My app. So annoying.

[voidsquared]

There is no problem on the Apple side. You just need to have latest firmware (2.0.61, check it when you tap serial number in find my app) to have functional tracking. I have tested vanilla fw - works, plenty of reports. I have also tested modified fw with custom pubkey - works, plenty of reports. I guess the magic is in some communication between tag and iphone, but that is a subject of research right now.

[biemster]

There is no problem on the Apple side. You just need to have latest firmware (2.0.61, check it when you tap serial number in find my app)

you mean "official AirTag" firmware? If that's the case we should compare what this latest version sends vs older firmware (but I don't own any AirTags :( )

[humpataa]

There is no problem on the Apple side.

I am sure you are wrong. My original AirTags have version 2.0.61 – but apart from that – do you really believe Apple would force every AirTag (and all the clones!) to update to make them work like everyone is expecting? Besides: how do you update the firmware of original tags anyway?

Have you done the test I wrote above? Please do. And make sure you do it exactly as described. I am sure that some iOS16 (or even iOS15) at your place is reporting. Nothing to be happy about.

[biemster]

Apple would force every AirTag (and all the clones!) to update to make them work like everyone is expecting?

I assumed from the comment that this is an easy procedure, and frankly this wouldn't be the first time a tech firm responds to "my [insert device] is not working" with "please press update".

But if your tags are all on 2.0.61 already @humpataa, I'm inclined to believe there are other devices close to @voidsquared that ruined the testing.

[humpataa]

iOS17.4 update doesn't seem to bring any changes. :roll_eyes:

[isibizi]

I think apple has find a away to block cloned tags :(

[shiprec]

@humpataa the manufacturer was able to get back to me. They were able to replicate the issue with multiple of their apple approved tags, based on your step by step instructions (thank you) I am pushing them to notify Apple to see what they say.

[isibizi]

@shiprec Manufacturer of licensed Tags, or cloned?

[shiprec]

@isibizi Manufacturer of licensed tags

[humpataa]

@shiprec

@humpataa the manufacturer was able to get back to me.

sounds good. what's the name of the company?

[shiprec]

@humpataa I am not sure I should share that publicly.

[humpataa]

okay, well let's hope it has some impact. and I hope it's some server side issue, Apple just needs to pull the lever and all will be smooth again ...

[supaeasy]

iOS17.4 RC: issue not fixed.

@shiprec you can use any AppleID for requesting any reports as long as you have the keys. The AppleID (iCloud) is only needed for encryption of traffic, Apple "items" (such as real or fake AirTags) are not bound to a specific AppleID.

Very recently I set up macless-headstack instead of openhaystack so I could throw out the macMini that I was running it on and I can definitely say that this is not true. I accidentally logged into anisette with another AppleID and got error messages when trying to fetch locations even though I correctly imported the .json File with my devices. It went flawlessly after I changed the AppleID account to the one I created the devices with. Actually I thought this should work as you described but can now tell it does not.

[humpataa]

are you using the python scripts for requesting reports? the iCloud_decryptionkey must be created with the AppleID you want to use, of course.

[supaeasy]

I am using anisette and macless-haystack in docker and I guess it creates the key when I login with an appleID - right? I am not at home so I cannot tell where exactly iCloud_decryptionkey comes into play.

[humpataa]

I don't know macless / docker version. but I have definitely used different AppleIDs to get reports for the same devices.

[humpataa]

@humpataa I am not sure I should share that publicly.

Do you have updates from the company, have they been able to make contact with Apple? I am still struggling to find an appropriate channel, tried chat, phone, forums, support – all don't seem (want) to be "responsible", cannot answer and cannot forward it to the right address. All my bug reports (feedback) have zero replies as well. Very annoying.

[shiprec]

@humpataa they said they would send it to Apple and let me know if there is any response. So far I haven't heard anything.

[supaeasy]

Could it have something to do with iOS17 new ability to share AirTags? Maybe they changed the way the reports are handled.

[Itheras]

Could it have something to do with iOS17 new ability to share AirTags? Maybe they changed the way the reports are handled.

nope. Regular airtag using apple findmy app gets no reports if there is no ios16 device around.

[isibizi]

iOS 17.4.1 has fixed this issue

[davesenior9]

Can confirm, upon updating my iPhone 15 to 17.4.1, I'm immediately getting updates from the device that I've previously received zero updates from.

[Systm21]

...our haystacked clonetags are also working normally?

[Itheras]

Everything is back to normal. but I believe something is being done differently with the status bit ios side but take it with a grain of salt i need to dig deeper. But yes everything is reporting again.

[isibizi]

...our haystacked clonetags are also working normally?

Yes it should working to.

[humpataa]

Can confirm, upon updating my iPhone 15 to 17.4.1, I'm immediately getting updates from the device that I've previously received zero updates from.

Same here: it really looks good since yesterday, however, I have the feeling that older devices (iOS < 16.7.6) still report quicker and more reliable?! But working again finally! 😍

Tested with 2 original AirTags, 2 official clones and several fake tags (status byte fully used, hint byte correctly set) – all fine.

There is an update for iOS16 as well, fixing the issue too I believe. Still waiting for technical details of the update, guess Apple is waiting for the rollout to reach enough people before sharing details.

[Cassander313]

Does anyone notice if this issue has now come back up since the new 17.5.1 role out in terms of detecting tags.

[doggyhaha]

Does anyone notice if this issue has now come back up since the new 17.5.1 role out in terms of detecting tags.

Can confirm, i'm on 17.6 and no report appears with the original HCI.py, i'm trying with the one from the PR but i had to patch it further more since it couldn't change ble addr

[doggyhaha]

Does anyone notice if this issue has now come back up since the new 17.5.1 role out in terms of detecting tags.

Can confirm, i'm on 17.6 and no report appears with the original HCI.py, i'm trying with the one from the PR but i had to patch it further more since it couldn't change ble addr

ok i managed to fix it (?) but idk how reliable this is, also it's very device specific and i dont know which edits are necessary.

gist url: https://gist.github.com/doggyhaha/37e61a03a07868942f64c343b29766c2 also had to build bdaddr (this one since bluez didn't have it included)

i run it with python HCI_fix.py -k "ADV_KEY" -i 33 (as root) i used this script to get results and used this script to generate the keys

i didn't try any other combination/script, i have an iphone 15 with ios 16, if i understood correctly the problem what that HCI.py couldn't change the MAC address on my device