Hacking ▍

AirTags · Deep Dive · 15 volumes

AirTags

A 15-volume deep dive — how trackers work, how to use and DIY them, which work on which phone, and how to find a hidden one.

Item trackers ("air tags") end-to-end — the BLE Find My network, UWB, NFC/anti-stalking theory, the tracker varieties, and the counter-surveillance half: detecting hidden tags.

Search every volume:

    Volumes

    1. Vol 1 AirTags Volume 1 — Overview & the Item-Tracker Landscape What item trackers are, the four find-networks, the two halves of this deep dive, where it sits in the hub, the buy/detect decision tree, and depth indices into Vols 2-15
    2. Vol 2 AirTags Volume 2 — Theory I: BLE Advertising & the Find My Crowd-Sourced Network The non-connectable advertising PDU, Apple's 0x004C/0x12 Find My data, the rotating NIST P-224 key chain, finder-side ECIES encryption, owner-side query-and-decrypt, and why a plain MAC scan can never follow the tag
    3. Vol 3 AirTags Volume 3 — Theory II: Ultra-Wideband Precision Finding Apple's U1/U2 silicon, the IEEE 802.15.4z HRP impulse-radio PHY, the channel-5/9 plan at 499.2 MHz, distance from two-way time-of-flight, bearing from multi-antenna angle-of-arrival, the distance-arrow-and-haptics UX, how Samsung SmartTag UWB compares — and why a 6 GHz-ceiling HackRF rules UWB off the bench
    4. Vol 4 AirTags Volume 4 — Theory III: NFC, Lost Mode & the Anti-Stalking / Separated-Beaconing Behavior The passive NDEF tag any phone can read, the found.apple.com / Lost-Mode contact path, the status-byte 'paired vs separated' distinction, the long-lived separated-state key that makes a tag detectable, the audible-chirp and Found-Moving-With-You countermeasures, the detection-delay-by-design rationale, and the Apple+Google DULT framework — the bridge from the tracker half into the detection half
    5. Vol 5 AirTags Volume 5 — AirTag Hardware Teardown The 31.9 mm puck opened: the Nordic nRF52832 BLE SoC and its NFCT peripheral, the Apple U1 UWB responder, the NXP NT3H2111 NTAG-I²C-plus front-end (Type-2 / 14443-A, pinned), the voice-coil speaker that doubles as the battery interlock, the CR2032 power tree and its one-year current budget, and how three radios and three antennas coexist in an 8 mm coin
    6. Vol 6 AirTags Volume 6 — How to Use Them: The Full AirTag Lifecycle One-tap pairing and Apple-ID binding; the Find My Items tab; Precision Finding (UWB) walkthrough; Lost Mode and the NFC contact path; sharing up to five people (iOS 17+); CR2032 battery replacement; and the honest account of Apple-ecosystem lock-in — this volume is the operational manual the theory volumes (Vols 2–4) built toward
    7. Vol 7 AirTags Volume 7 — Varieties I: Apple AirTag & Samsung SmartTag/SmartTag2 The two ecosystem-native UWB trackers side by side: AirTag specification recap, the three Samsung SmartTag generations (BLE-only baseline → UWB-augmented SmartTag+ → IP67 SmartTag2 with ~700-day battery), SmartThings Find vs Find My at network scale, head-to-head spec and feature matrices, the Galaxy-device registration lock, and the programmable-button feature the AirTag never had
    8. Vol 8 AirTags Volume 8 — Varieties II: Tile, Chipolo, Pebblebee & Cross-Network Tags The BLE-only and 'Find My or Google' trackers: Tile's own-network cross-platform line (Mate/Pro/Slim/Sticker, Life360, Amazon Sidewalk, no UWB); Chipolo's one-network-per-SKU architecture (ONE Spot / CARD Spot = Find My; POINT / CARD POINT = Google); Pebblebee's rechargeable variants; the consumer-confusion trap at the heart of this category; and the complete cross-network variety matrix
    9. Vol 9 AirTags Volume 9 — Which Works on Which Phone: The Network Map The definitive Android-vs-iPhone matrix: the four verbs (register / locate / be-found-by / detect) defined with engineering precision, then applied across every finding network and every OS — Apple Find My, Samsung SmartThings Find, Google Find My Device, and Tile; the key asymmetries (Android can detect but not own an AirTag; iPhone cannot register a SmartTag; Tile is the only register-on-either-OS option); and the Apple+Google DULT cross-platform detection cooperation that lets each OS alert on the other ecosystem's trackers
    10. Vol 10 AirTags Volume 10 — DIY: OpenHaystack & Macless-Haystack Turning a $5 ESP32 or an nRF52 into a Find My beacon: the original macOS-app-plus-Mail-plugin architecture, why the anisette server replaced the Mac, the P-224 key-gen → flash → advertise → fetch → decrypt pipeline that reuses Vol 2's payload byte-for-byte, a build BoM with the honest battery-life math, and the posture envelope for riding Apple's network without an MFi certificate
    11. Vol 11 AirTags Volume 11 — Detection Devices for Hidden/Unwanted Tags The complete detection landscape: iOS and Android OS-native alerts, Tracker Detect (Android, manual scan), AirGuard (TU Darmstadt), commercial BLE scanners and RF bug-sweepers, the Apple+Google DULT draft spec, and an honest can/cannot matrix of what each tool actually sees — with the false-sense-of-security caveat front and center
    12. Vol 12 AirTags Volume 12 — DIY Detection & Finding The engineer-on-the-bench counter-surveillance toolkit: nRF Connect, bluetoothctl, btmon and the legacy hcitool path, an nRF52840 sniffer feeding Wireshark, the FF 4C 00 12 separated-state signature to match on, the key-rotation problem and why you correlate persistence + RSSI within one sweep session instead of across rotations, a bleak RSSI-walk logger, the NFC serial read, and the reproducible sweep-your-own-car/bag/room decision tree
    13. Vol 13 AirTags Volume 13 — Add-ons to Your Existing Hack Tools Gear Turning the bench you already own into a tracker-sweep kit: the Flipper Zero BLE stack and its community scanner FAPs, ESP32 Marauder on the AWOK Dual Touch V3 (and why AirTag Detect lives in Ghost ESP / Bruce, not mainline), the Ruckus Game Over multitool, the Nyan Box as the counter-surveillance sibling, the nRF52840 dongle as the clean sniffer path, and the HackRF One UWB-band question answered correctly — a 6 GHz ceiling means it cannot receive UWB at all
    14. Vol 14 AirTags Volume 14 — Operational Posture, Legal & Ethics The make-vs-find line, lawful and unlawful uses, the consent bright line, regional law pointers, data-handling rules for detection sweeps, DIY-beacon ToS boundaries, and the presence-not-proof caveat — the ethical and legal capstone of the series
    15. Vol 15 AirTags Volume 15 — Cheatsheet: Laminate-Ready Field Card Detect / read / DIY / gear / network map / legal — one-page synthesis of the fifteen-volume series