---

15.1 Find My Advertisement Signature

This is the constant fingerprint a detector keys on. Everything after the type byte rotates; the signature itself never changes.

15.1.1 Three-Gate Filter — ASCII Panel

┌───────────────────────────────────────────────────────────────────────────────┐
│  FIND MY ADVERTISEMENT — THREE-GATE FILTER (Vol 2 §3, Vol 12 §4)            │
│                                                                               │
│  PDU type:   ADV_NONCONN_IND  (non-connectable; separated tag is passive)    │
│                                                                               │
│  Gate 1 — Apple Company ID:  FF  4C 00                                       │
│            (0x004C, little-endian on-wire: first byte 0x4C, second 0x00)     │
│                                                                               │
│  Gate 2 — Apple type byte:   0x12  (Find My)                                 │
│            NOT 0x07 (Nearby/AirDrop), NOT 0x10 (AirPods/Nearby)             │
│                                                                               │
│  Gate 3 — Status byte:       separated flag SET  (owner absent, Vol 4 §4.2) │
│            Matching only Gate 1 lights up every nearby iPhone/AirPod/Mac     │
│                                                                               │
│  On-wire frame layout (offsets per OpenHaystack / PETS 2021):               │
│  1E  FF  4C 00  12  19  [status]  [22 key bytes]  [key0-hi]  [hint]        │
│  ↑   ↑   ↑     ↑   ↑    ↑                                                   │
│  len AD  Comp  type len  status byte (offset 6)                              │
│      type ID             high bits = battery; bit 0 = separated flag        │
│                                                                               │
│  WHAT IS CONSTANT:   FF 4C 00 12  — the detection handle                    │
│  WHAT ROTATES:       BLE address + all 22 key bytes (+ key0-hi + hint)      │
│                                                                               │
│  KEY ROTATION PERIODS                                                         │
│  Paired (tag with owner):   ~15 min   ~96 address+key changes per day       │
│  Separated (hidden state):  ~24 h     (PETS 2021 baseline; firmware-dep.;   │
│                                        Apple does not publish; hedge this)   │
│                                                                               │
│  DETECTION INSIGHT: A plain MAC scan sees ~96 strangers/day from one tag.   │
│  Match the constant signature + separated flag, then correlate persistence  │
│  as you move — the separated key is session-stable (~24 h).                 │
└───────────────────────────────────────────────────────────────────────────────┘

15.1.2 Payload Field Reference

Table 1 — 1.2 Payload Field Reference

Offset	Field	Value	Notes
0	AD length	1E (30)	Length of this AD element
1	AD type	FF	Manufacturer-specific data
2–3	Company ID	4C 00	Apple Inc. 0x004C, little-endian
4	Apple type	0x12	Find My — not 0x07 or 0x10
5	Payload length	0x19 (25)
6	Status byte	0x__	High bits = battery level; bit 0 = maintained (0) / separated (1)
7–28	Public key fragment	22 bytes	Rotating NIST P-224 key bytes
29	Key byte 0 high bits	2 bits	Recovered high bits of key[0]
30	Hint	1 byte

The BLE address also carries ~6 bytes of the current public key (top 2 bits forced to 0b11 random-static). The address rotates with the key.

15.1.3 Key Rotation Reference

Table 2 — 1.3 Key Rotation Reference

State	Key / address rotation	Keys per day	Detection consequence
Paired (owner nearby)	~15 min	~96	Naive MAC scan fails — 96 strangers/day
Separated (hidden state)	~24 h (PETS 2021; hedge — Apple does not publish)	~1	Session-stable: correlate persistence + RSSI

The key chain (from Vol 2): Pairing seeds a symmetric ratchet; each step derives a new scalar, new EC point — only the owner (holding the original private key) can recompute the decryption keys. Apple holds only the key-hash index and the ciphertext; it cannot read locations or identify finders.

---

15.2 Detect — Fastest Path per Platform

15.2.1 Platform Card

Table 3 — 2.1 Platform Card

I have…	Fastest detection	Background?	Notes
iPhone (iOS 14.5+)	Built-in “Found Moving With You” alert	✅ auto	No app; enabled since iOS 14.5 (2021) — full detail in see Vol 11 §2
Android (2023+, updated Play Services)	Native unknown-tracker alerts	✅ auto	Google Play Services update 2023; DULT-compliant trackers across all networks
Any Android (power user)	AirGuard (TU Darmstadt / SEEMOO, open-source, Apache 2.0)	✅ auto	Multi-network (AirTag, SmartTag, Tile), exportable history log, best supplement — full detail in see Vol 11 §3
Android (on-demand scan)	Tracker Detect (Apple Inc., Play Store)	❌ manual	Android-only; open app → Scan; no background protection — full detail in see Vol 11 §4
Linux / bench	bluetoothctl scan, filter FF 4C 00 12 + separated	❌ manual	See §7 commands; btmon for byte-exact HCI decode
Owned gear (Hack Tools)	AWOK Dual Touch V3 with Marauder/Ghost ESP/Bruce	❌ manual	Best standalone owned; AirTag Detect in fork builds — full detail in see Vol 13 §4

15.2.2 Sweep Procedure

Five steps — app or DIY tool:

Table 4 — 2.2 Sweep Procedure

Step	Action	Key point
1	Background scan; filter to separated Find My adverts (FF 4C 00 12 + separated status byte)	Gate 3 is critical — most real-environment detections are already in the app
2	Move on purpose — drive the route, carry the bag through rooms	A tag traveling with you persists; background-noise tags drop off as you move
3	One persistent tag? RSSI-walk to it	RSSI is ordinal, not metric — warmer/colder only; multipath/body-shadowing (±10–20 dB) defeats any distance estimate
4	Physically found → NFC-tap for serial	See §3; any NFC phone, no app needed
5	Document → report → (then) disable	Photograph it, export AirGuard log, contact law enforcement before removing

A quiet sweep ≠ safe. Paired-state tags (within detection-delay window), non-DULT trackers, and GPS/cellular trackers (no BLE advert) are all invisible to this approach. Absence of a hit is not proof of absence — see Vol 11 §6.4 and Vol 12 §8.

---

15.3 Read — NFC Tap a Found Tag

Any NFC phone, no app needed — works on a dead battery (RF-powered passive NFC tag).

Table 5 — 3. Read — NFC Tap a Found Tag

Step	Action	What you get
1	Tap the tag with any NFC phone (iPhone or Android)	Browser launches to found.apple.com
2	Serial number	Always present, even with a dead battery
3	Owner contact	Only if Lost Mode is on — often partially masked (e.g., •••• 7395)
4	Custom message	Set by owner in Find My when enabling Lost Mode
5	Screenshot and record everything	Serial + last-4 = evidence for law enforcement

NFC is the only active read of a found tag. The separated BLE advert is non-connectable (Vol 2 §2.2) — you cannot interrogate it over BLE. NFC is how you get the serial — the one durable identifier. See Vol 4 §2–§3 for the full Lost Mode mechanics.

NFC hardware detail (Vol 5 §3): The AirTag uses an NXP NT3H2111 (NTAG I²C plus) — NFC Forum Type-2 / ISO 14443-A, 13.56 MHz. RF-powered: works on dead battery. Readable by any 14443-A device (Flipper NFC, Proxmark3 HF, PN532, any modern phone). nfc-list returns the chip UID (NOT the AirTag serial — UID is the NXP chip’s internal ID); use nfcpy to dump the NDEF URI that contains the serial and the found.apple.com URL. See §7 commands.

What Lost Mode changes — and does not change:

Table 6 — 3. Read — NFC Tap a Found Tag

	Lost Mode OFF	Lost Mode ON
Serial visible on NFC tap	✅	✅
Owner contact visible	❌	✅ (masked)
BLE advertising changes	❌	❌ (server-side state only)
Owner push-notified on network locate	❌	✅

---

15.4 Network Map

15.4.1 The Four Verbs

Table 7 — 4.1 The Four Verbs

Verb	Definition	What locks it
Register	Pair + bind to cloud account + become owner of record	Phone OS + cloud account must match the tracker’s network
Locate	See on a map, play sound, Precision Finding	Must be the registered owner
Be-found-by	A stranger’s phone silently reports the tag’s encrypted location	Depends on the finding network’s finder density, not the owner’s phone
Detect	OS or app alerts you that an unknown tag is traveling with you	Cross-platform via DULT — the one verb both phone OSes share across all networks

DULT = the detect equalizer. Apple+Google “Detecting Unwanted Location Trackers,” IETF draft, announced May 2023. Standardizes the separated-accessory BLE signal + cross-platform OS alert behavior. Supporters: Apple, Google, Samsung, Tile, Chipolo, Pebblebee. Ownership is network-locked; detect is not. Full detail in see Vol 11 §6 and Vol 4 §8.

15.4.2 Network × Phone Capability Matrix

Table 8 — 4.2 Network × Phone Capability Matrix

Tracker / Network	iPhone (iOS)	Samsung Galaxy	Other Android	Key constraint
AirTag — Apple Find My	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Register ❌ Detect ✅	Register ❌ Detect ✅	Android can detect but not register; Android devices don’t contribute finders to Find My
SmartTag / SmartTag+ / SmartTag2 — SmartThings Find	Register ❌ Detect ✅	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Register ❌ Detect ✅	Requires Samsung Galaxy + Samsung account to register. Hardest ecosystem wall.
Chipolo ONE Spot / CARD Spot / Pebblebee FM — Apple Find My	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Register ❌ Detect ✅	Register ❌ Detect ✅	“Spot” SKU = Find My; inherits Apple’s network and anti-stalking framework
Chipolo POINT / CARD POINT / Pebblebee Google — Google FMD	Register ❌ Detect ✅	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Google network live April 2024; opt-in by Android device owner
Tile / Life360 — Tile network + Sidewalk	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Register ✅ Locate ✅ Be-found-by ✅ Detect ✅	Only network where either phone OS can register and locate. Sidewalk (US) adds Amazon Echo/Ring fixed coverage. Smallest phone-pool.

Android + AirTag quick-ref: Register? No. Locate? No. Be-found-by? Via iPhones near the tag — Android devices don’t contribute finders. Detect? Yes (DULT native alerts, AirGuard, Tracker Detect). NFC-read? Yes (any NFC Android).

The one-network-per-SKU rule. Chipolo and Pebblebee each sell physically identical form factors in two network variants. “Spot” = Apple Find My (iPhone ownership). No “Spot” = Google FMD (Android ownership). “Find My” in Pebblebee name = Apple. “Google” = Google FMD. Cannot switch networks post-purchase. Buy the SKU that matches your phone.

15.4.3 Network Density Quick-Ref

Table 9 — 4.3 Network Density Quick-Ref

Network	Scale	Geographic sweet spot	Finder opt-in?
Apple Find My	~1B+ devices, auto-enrolled as finders	NA / EU / Japan / Australia (iPhone-dominant markets)	No — silent finder by default
Google Find My Device	~1B+ Android 9+ devices, opt-in	Android-dominant markets; growing post-April 2024	Yes — per device
Samsung SmartThings Find	Galaxy phones only	South Korea; moderate elsewhere	Galaxy auto
Tile + Sidewalk	App-install users only + US Sidewalk (Amazon Echo/Ring devices)	US: Sidewalk adds fixed residential; international: app-density only	Sidewalk opt-out (enrolled by default)

---

15.5 DIY Beacon — Macless-Haystack Quick Steps

OpenHaystack vs Macless-Haystack: OpenHaystack (SEEMOO/TU Darmstadt, 2021) required a macOS app + Apple Mail plugin to authenticate report fetches. Macless-Haystack (dchristl) replaced that with a self-hosted anisette server + cross-platform endpoint + throwaway Apple ID. The firmware is the same; the difference is who supplies the report-fetch authentication. Use Macless-Haystack today. Full detail in see Vol 10.

15.5.1 Five Steps

Table 10 — 5.1 Five Steps

Step	Action	Detail
1. Generate keys	Create a NIST P-224 (secp224r1) keypair	Macless-Haystack keygen script. Private key = never commits to git; keep at 0600/in a keychain, off the beacon
2. Flash firmware	Embed the 28-byte public key in ESP32 / nRF firmware	ESP32: esptool / PlatformIO via USB-UART (same toolchain as ESP32 Marauder Firmware/). nRF: nrfutil DFU / SWD (pyocd/OpenOCD). micro:bit: drag-and-drop
3. Advertise	Beacon emits exact FF 4C 00 12 Find My frame	Same PDU as Vol 2 §3 — not re-derived. Simple beacon = one static key = stable BLE address (MAC-trackable; pre-rotate a key list to mimic the AirTag’s unlinkability)
4. Fetch reports	Query Apple by SHA-256(public_key) via anisette auth	Self-hosted macless-haystack endpoint + dadoum/anisette-v3-server Docker + throwaway Apple ID. No Mac required.
5. Decrypt	ECIES: ECDH on P-224 → ANSI X9.63-KDF (SHA-256) → AES-GCM → lat/lon	Your private key + the ciphertext Apple stored; same scheme as Vol 2 §6.3 — you are now the “owner” side

15.5.2 Hardware Options

Table 11 — 5.2 Hardware Options

Platform	Cost	Battery life	Notes
ESP32 (WROOM)	~$5	Days–weeks (power hungry)	Existing bench toolchain; C3/C6 variants are more power-efficient
nRF51822 (micro:bit)	Low	Months	Legacy original target; drag-and-drop flash
nRF52 class (nRF52832, nRF52840)	~$5–15	Months–~1 yr (with deep sleep)	Same silicon class as the real AirTag (Vol 5 §2); best battery life
Linux-HCI	$0 extra	N/A (wall power)	Research/bench only; non-portable

15.5.3 DIY Beacon vs Real AirTag — What’s Missing

Table 12 — 5.3 DIY Beacon vs Real AirTag — What's Missing

Feature	Real AirTag (Vol 5)	DIY Beacon (Vol 10)
Find My crowdsourced network	✅	✅ (same FF 4C 00 12 frame)
Key rotation (~15 min paired)	✅ hardware ratchet	❌ Static key unless you pre-rotate a list
Precision Finding — UWB (U1)	✅	❌ No U1 chip
NFC Lost Mode (NXP NT3H2111)	✅	❌ No NFC tag
Anti-stalking chirp / DULT alert	✅ Speaker + DULT	❌ No speaker, no DULT compliance
Detectable by signature-based scanner	✅	✅ (same radio signature — no stealth)

ToS reminder. Macless-Haystack rides Apple’s Find My network without MFi certification. Apple can reject non-MFi keys. Own property + consenting family + research use only. Tracking a person without consent is criminal stalking. The anti-stalking chirp is absent; a DIY beacon is detectable by any BLE scanner but has no DULT alert mechanism. See §9 and Vol 14.

---

15.6 Gear Reference

15.6.1 Tool × Job Table

Table 13 — 6.1 Tool × Job Table

Tool	BLE scan / Find My filter	AirTag Detect (cadence)	RSSI-walk	UWB receive	Sniffer-grade	Notes
nRF52840 USB dongle	✅	—	✅ per-PDU RSSI	❌	✅	Nordic Sniffer fw → Wireshark extcap; every PDU, all 3 adv channels, ~$10 aspirational
AWOK Dual Touch V3	✅ ESP32-WROOM	✅ fork only	✅ + GPS	❌	❌	Best standalone owned; on-board GPS location-stamps the persistence test
Ruckus Game Over	✅ ESP32-S3	✅ fork only	✅	❌	❌	NRF24/CC1101 daughter card = NOT BLE; adds nothing to tag-finding
Phone + nRF Connect	✅ fastest triage	❌	✅	❌	❌	AirGuard provides background detection; nRF Connect for live RSSI
Flipper Zero	✅ community FAP	❌	✅	❌	❌	Weak BLE radio (STM32WB55); findmy_flipper = offense (makes a beacon), NOT detection
Nyan Box	✅ ESP32-WROOM-32U	❌	✅	❌	❌	Triple NRF24 = NOT BLE; one walk covers cameras + trackers
HackRF One	✅ BLE only (poor)	❌	—	❌ No UWB	❌	6 GHz ceiling — cannot receive UWB; no BLE protocol stack either; wrong tool twice over

HackRF UWB caveat — carry this exactly (Vol 3 §9.2, Vol 13 §8.2). The HackRF One’s front end (MAX2837/RFFC5072) stops at 6 GHz, which is below UWB channel 5’s centre (6489.6 MHz) and even below the channel’s ~6240 MHz lower edge. It cannot receive either UWB channel (ch 5 or ch 9) — UWB receive is off the table, full stop. Its only AirTag relevance is BLE at 2.4 GHz, where it also lacks a BLE protocol stack and requires a full GNU Radio decode chain that every dedicated tool gives for free. Wrong tool twice over.

AirTag Detect in fork builds only. The ESP32 Marauder AirTag Detect feature exists in Ghost ESP / Bruce forks, not in mainline Marauder (omitted deliberately). It keys on the Apple Find My advertising cadence (~2 s) — it does not explicitly gate on the separated status byte, so confirm flags with the persistence-plus-RSSI test (Vol 12 §4).

15.6.2 Gear Ranking for a Real Sweep

Best  ► nRF52840 USB dongle (~$10, aspirational) — sniffer-grade, every PDU,
       │  per-PDU RSSI, Wireshark extcap; the one purchase that materially
       │  upgrades this topic
      ►
      ► AWOK Dual Touch V3 + Marauder fork — best standalone owned;
       │  GPS location-stamps the drive-the-route persistence test
      ►
      ► Phone + AirGuard (background auto-detection)
       │  or nRF Connect (live RSSI for RSSI-walk)
      ►
      ► Flipper Zero — convenient carry; weak BLE radio (STM32WB55)
      ►
      ► Nyan Box — fold AirTag BLE scan into a camera sweep (same walk)
      ►
Worst ► HackRF One — wrong tool for this job (no BLE stack, no UWB)

A second radio / daughter card never adds a Find My surface. The NRF24L01+ on the Nyan Box and Game Over is proprietary 2.4 GHz GFSK — blind to BLE advertising. Only the host ESP32 (or Flipper’s STM32WB55, or an nRF52840) speaks BLE. See Vol 13 §5.

---

15.7 Command Quick-Reference

# ── LINUX BLE SCAN (bluetoothctl — interactive) ───────────────────────────
sudo bluetoothctl
  power on
  scan on                          # starts LE advertising scan
  # look for FF 4C 00 12 in ManufacturerData output
  info <MAC>                       # shows ManufacturerData bytes for a seen device
  clear                            # clears all discovered devices (reset the scan list)
  scan off ; exit

# ── HCI-LEVEL BYTE CAPTURE (btmon — modern BlueZ workhorse) ──────────────
sudo btmon 2>&1 | grep -A8 "4C:00\|0x004c"
# Shows raw HCI advertising events; pipe through tee to save for offline analysis
# btmon replaces hcitool/hcidump (deprecated since BlueZ ~5.44)

# ── WIRESHARK / TSHARK FILTER FOR FIND MY ADVERTISEMENTS ─────────────────
# Capture with nRF52840 dongle + Nordic Sniffer firmware → Wireshark extcap
# Then filter in tshark:
tshark -i nordic_ble -Y \
  "btle.advertising_header.pdu_type == 0x02 && \
   btcommon.eir_ad.entry.company_id == 0x004c && \
   btcommon.eir_ad.entry.data[0] == 0x12"
# Note: btcommon.* field names are tshark / Wireshark version-sensitive.
# For a quick pass: filter on company_id 0x004c and inspect the type byte manually.
# ADV_NONCONN_IND = PDU type 0x02.

# ── PYTHON BLE RSSI-WALK (bleak — cross-platform) ─────────────────────────
# Install: pip install bleak
# Gates on Apple Find My signature (0x004C + type 0x12) + separated status byte
python3 - <<'EOF'
import asyncio
from bleak import BleakScanner

SEPARATED_MASK = 0b00000001   # bit 0 of status byte = separated flag (Vol 4 §4.2)

def callback(device, ad):
    mfr = ad.manufacturer_data.get(0x004C)
    if mfr and len(mfr) >= 2 and mfr[0] == 0x12:   # Gate 2: Find My type byte
        status = mfr[1] if len(mfr) > 1 else 0
        sep = bool(status & SEPARATED_MASK)          # Gate 3: separated flag
        bat = (status >> 6) & 0x03                  # high 2 bits = battery
        print(f"[{'SEP' if sep else 'PAI'}] RSSI={device.rssi:+4d} dBm  "
              f"bat={bat}  {device.address}")

async def main():
    async with BleakScanner(detection_callback=callback):
        await asyncio.sleep(60)   # increase for a persistent sweep

asyncio.run(main())
EOF
# Note: verify adv.rssi vs device.rssi for your bleak version (API changed across releases)

# ── NFC READ — NDEF URI (libnfc + nfcpy) ─────────────────────────────────
nfc-list                      # lists NFC targets (returns chip UID — NOT the AirTag serial)

# For the NDEF URI containing the serial + found.apple.com URL:
python3 - <<'EOF'
import nfc
with nfc.ContactlessFrontend('usb') as clf:
    tag = clf.connect(rdwr={'on-connect': lambda t: False})
    if tag and tag.ndef:
        for record in tag.ndef.records:
            print(record.uri)    # prints the found.apple.com URL with serial
EOF
# Or just tap the tag with any NFC phone — no code needed; browser auto-launches

---

15.8 Decision Panels

15.8.1 Which Tracker Should I Buy?

I want a tracker. What phone do I have?
│
├── iPhone (iOS 14.5+)
│   ├── Best find-network coverage + UWB Precision Finding (directional arrow)
│   │   → Apple AirTag (~$29)  [Full detail: see Vol 7]
│   ├── Find My, louder speaker, no button → Chipolo ONE Spot  [see Vol 8]
│   ├── Find My, wallet-card form → Chipolo CARD Spot  [see Vol 8]
│   ├── Find My, USB-C rechargeable → Pebblebee (Find My variant)  [see Vol 8]
│   └── Cross-platform (your partner has Android)
│       → Tile (only register-on-either-OS network)  [see Vol 8]
│
├── Samsung Galaxy phone
│   ├── Want UWB AR Compass Finding → SmartTag2 (requires Galaxy S21 Ultra+)
│   │   (~$30) [Full detail: see Vol 7]
│   ├── Galaxy A-series (no UWB chip) → SmartTag2 (BLE, IP67, best battery)
│   │   [see Vol 7]
│   └── Programmable IoT button + SmartThings automations → any SmartTag gen
│
├── Non-Samsung Android
│   ├── Google Find My Device (growing network) → Chipolo POINT / Pebblebee Google
│   │   [see Vol 8]
│   └── Cross-platform → Tile Mate / Tile Pro  [see Vol 8]
│
└── Cross-platform ownership (iOS + Android users on same item)
    → Tile only (the one network where either OS can register and locate)
    ⚠  Chipolo/Pebblebee: ONE SKU = ONE network, irreversible at purchase

Tracker quick-spec:

Table 14 — 8.1 Which Tracker Should I Buy?

Tracker	Network	UWB	Battery	IP	Price
Apple AirTag	Find My	✅ U1	CR2032 ~1 yr replaceable	IP67	~$29
Samsung SmartTag2	SmartThings Find	✅ (UWB Galaxy phones)	CR2032 ~500–700 days	IP67	~$30
Chipolo ONE Spot	Find My	❌	CR2032 ~2 yr	None	~$28
Chipolo POINT	Google FMD	❌	CR2032 ~2 yr	None	~$28
Pebblebee Clip (FM/Google)	Find My or Google FMD	❌	USB-C rechargeable	IPX6	~$35
Tile Mate	Tile + Sidewalk	❌	CR2032 ~3 yr replaceable	None	~$25
Tile Pro	Tile + Sidewalk	❌	CR2032 ~1 yr replaceable	None	~$35
Tile Slim	Tile + Sidewalk	❌	Sealed primary ~3 yr	None	~$35

15.8.2 Which Detector Should I Use?

Table 15 — 8.2 Which Detector Should I Use?

Scenario	Best detector	Notes
iPhone in pocket, nothing else	iOS built-in “Found Moving With You”	Automatic, background, iOS 14.5+; no app needed
Android, updated Play Services	Native unknown-tracker alerts	Google Play Services 2023 update; DULT-compliant
Any phone, power-user supplemental	AirGuard (TU Darmstadt, open-source)	Background + history log + exportable; multi-network
Android, one-off manual scan	Tracker Detect (Apple Inc., Play Store)	Android-only; manual; Find My beacons only
Bench / Linux	bluetoothctl + btmon	See §7; btmon for byte-exact HCI PDU
Sniffer-grade PDU capture	nRF52840 dongle + Wireshark	All 3 adv channels, per-PDU RSSI; ~$10
RSSI-walk to localize a found tag	Any tool above + movement	Warmer/colder only; see §2.2 sweep procedure
GPS/cellular tracker (no BLE)	Physical search / spectrum sweep	BLE-scan tools are completely blind to non-BLE trackers
”Will a $30 RF wand help?”	No. Use AirGuard instead.	RF sweeper pegs at max in any real environment (wall-to-wall 2.4 GHz); no useful information

---

15.9 Legal — Bright Lines

Not legal advice. Every pointer here is a map, not a guide. Laws vary, change, and apply differently to specific facts. Verify with a licensed attorney in your jurisdiction before acting on any legal framing here. Full detail in see Vol 14; hub-wide posture at _shared/legal_ethics.md.

Table 16 — 9. Legal — Bright Lines

Bright line	Rule
The line	Consent + ownership. Track your own property or consenting adults = lawful. Track a non-consenting person = criminal stalking in essentially every jurisdiction.
”I was worried” is not a defense	Anti-stalking and electronic-surveillance statutes are conduct-based, not intent-based. Good motives do not remove criminal liability for covert tracking of a person.
Lawful uses	Own property; consenting adults; minor-child supervision (age-sensitive); research on own gear; counter-surveillance sweeps of your own space/vehicle/bag.
Unlawful uses	Covert tracking of any non-consenting person — intimate partner, ex, employee, adult child, anyone. Relationship does not create consent. Reason does not create consent.
Minor children	Young children: generally lawful. Teenagers: mostly lawful but age-sensitive. Age of majority (typically 18 in most US states): adult analysis applies; covert tracking without consent = stalking.
Detection gives presence, not proof	A BLE scan confirms a DULT/Find My–format beacon was nearby. It does not prove intent, duration, or the tracker owner’s identity. Serial + AirGuard log + LE account-lookup subpoena = the evidence chain. Detection is the starting point.
Found a tracker	Document first: photograph, NFC-tap for serial (§3), export AirGuard history, record time/location. Contact law enforcement. Disable after — premature removal destroys the evidence most useful for LE.
NFC read data	Serial + last-4 of owner’s phone = evidence for law enforcement, not for you to investigate or confront the tag’s owner independently.
Do not confront alone	Safety planning with LE or a domestic-violence advocate before any confrontation. US: NDVH 1-800-799-7233. UK: Refuge 0808 2000 247.
DIY beacon (Vol 10)	Own property; personal/research scale; ToS-consistent use only. Out of bounds: tracking people, commercial scale, intentionally omitting the DULT separated signal to evade victim detection.

US statute pointers (verify — law changes):

Table 17 — 9. Legal — Bright Lines

Statute	Coverage
18 U.S.C. § 2261A	Federal stalking statute (verify current text)
18 U.S.C. §§ 2510 et seq. (ECPA)	Electronic Communications Privacy Act
18 U.S.C. § 1030 (CFAA)	Computer Fraud and Abuse Act (indirect relevance)
California Penal Code § 637.7	California-specific electronic tracking prohibition
~40 state statutes	State-level electronic-tracking and stalking laws vary widely

International pointers:

Table 18 — 9. Legal — Bright Lines

Jurisdiction	Framework
EU	GDPR 2016/679 Arts 4/6/7 — location data is personal data; covert tracking has no lawful basis
UK	Protection from Harassment Act 1997 ss 2A/4A (inserted by Protection of Freedoms Act 2012) — criminal stalking offenses; Stalking Protection Act 2019 — SPOs
Canada	PIPEDA / CPPA (Bill C-27 successor); provincial privacy acts
Australia	Privacy Act 1988 and Australian Privacy Principles

---

15.10 Series Index — Vol 1 to 14

The navigational spine of the series. Jump to any volume by topic; this cheatsheet is the one-page synthesis. When a fact on this card seems incomplete or the nuance matters, the source volume is where the depth lives.

Table 19 — 10. Series Index — Vol 1 to 14

Vol	Title	Topic in one line	Cheatsheet §§ fed
1	Overview & the item-tracker landscape	Four networks, two halves, buy/detect decision tree, depth index into Vols 2–15	§4 (network), §8.1 (tracker panel)
2	Theory I — BLE advertising + Find My network	PDU format, rotating P-224 key chain (EC / ECIES), zero-knowledge relay, ~1B+ finder density	§1 (signature), §7 (bleak script)
3	Theory II — Ultra-Wideband Precision Finding	Apple U1/U2, IEEE 802.15.4z HRP, ToF + AoA ranging, ch 5/9 (6489.6 / 7987.2 MHz), no consumer decoder	§6.1 HackRF caveat
4	Theory III — NFC, Lost Mode & anti-stalking beaconing	NFC NDEF tap mechanics, separated-state status byte, PAIRED↔SEPARATED state machine, DULT framework	§1 (rotation), §3 (NFC read)
5	AirTag hardware teardown	nRF52832-QFAA (BLE+CryptoCell), Apple U1 (UWB), NXP NT3H2111 (NFC Forum Type-2/ISO 14443-A), CR2032 power budget	§3 (NFC hardware)
6	How to use them	Pair → Find My → Precision Finding → Lost Mode → sharing (iOS 17+) → CR2032 swap; honest limits	§8.1 (tracker panel)
7	Varieties I — Apple AirTag & Samsung SmartTag	AirTag vs SmartTag/SmartTag+/SmartTag2 spec table; Galaxy-only wall; UWB model split; programmable button	§4.2 (network matrix), §8.1
8	Varieties II — Tile, Chipolo, Pebblebee & cross-network	BLE-only brands, one-network-per-SKU rule, battery types, Sidewalk, Tile Anti-Theft Mode stalking loophole	§4.2, §8.1 (tracker panel)
9	Which works on which phone — the network map	register/locate/be-found-by/detect × network × phone OS; DULT as the detect equalizer	§4 (all of §4)
10	DIY — OpenHaystack / Macless-Haystack	ESP32/nRF as Find My beacon; keygen → flash → advertise → fetch → decrypt; static-key caveat; ToS	§5 (all of §5)
11	Detection devices for hidden/unwanted tags	iOS native alert; Android native alert; AirGuard; Tracker Detect; RF sweeper limits; DULT spec	§2.1 (platform card)
12	DIY detection & finding	bluetoothctl/btmon/bleak, RSSI-walk, NFC serial read, three-gate filter, key-rotation problem and solution	§7 (commands), §2.2 (sweep)
13	Add-ons to existing Hack Tools gear	Flipper (weak), AWOK+Marauder (best owned), Game Over, Nyan Box, nRF52840 (best $10), HackRF (no UWB)	§6 (gear table + ranking)
14	Operational posture, legal & ethics	Make-vs-find line, statutes (US/EU/UK/CA/AU), data handling, evidence preservation, DV resources	§9 (all of §9)

---

This is Volume 15 of a fifteen-volume series — the synthesis and laminate-ready field card. It is not a standalone reference: it is the quick-access surface for the series. When a fact here seems incomplete or its nuance matters, the source volume (rightmost column above) is where the depth lives. The detection techniques on this card assume defensive, consent-based use — see §9 and Vol 14 for the legal envelope, and _shared/legal_ethics.md for the hub-wide posture framework. Sibling counter-surveillance topic: the Nyan Box/ hidden-camera detection deep dive.