Jailbreakers manage to crack AirTag firmware and adjust NFC link

Hackers have managed to crack the firmware of Apple’s AirTag. As a result, small changes to the gadget are possible, for example the url to which the tag refers can be adjusted. The data points are also mapped to the pcb.

The first hack of the AirTag was carried out this weekend by German security researcher Thomas Roth. He managed to gain access to the AirTag’s microcontroller. That was not very easy; Roth first had to create a firmware dump in order to reprogram the microcontroller. The only function that he has been able to achieve with this for the time being is that it is possible to reprogram the NFC controller. This made it possible to adjust the link to which an AirTag refers.

Normally an AirTag only connects to an iCloud URL, but Roth could adjust that. The hacker has a short video put on Twitter in which he shows that the AirTag points to his own website. It shows that the AirTag is connected to cables, but according to him that is only to provide the gadget with power.

A second hacker also took apart the AirTag. Colin O’Flynn then managed to map the different data points on the AirTag’s pcb. He put the data on GitHub. Thomas Roth says he used those maps to customize the NFC chip via the nRF52 development kit.

Earlier this month, iFixit also managed to disassemble the AirTag. It showed, among other things, that the motherboard was very full, but the tinkerers still found three places where holes could be drilled for manually attaching a key ring.

Source: Colin O’Flynn