Apple's U1/U2 silicon, the IEEE 802.15.4z HRP impulse-radio PHY, the channel-5/9 plan at 499.2 MHz, distance from two-way time-of-flight, bearing from multi-antenna angle-of-arrival, the distance-arrow-and-haptics UX, how Samsung SmartTag UWB compares — and why a 6 GHz-ceiling HackRF rules UWB off the bench

3.1 About this Volume

This is the second of the three theory volumes (Vols 2–4) and covers the AirTag’s second radio. Vol 2 dissected the Bluetooth Low Energy offline-finding mechanism — the rotating NIST P-224 key in a FF 4C 00 12 … advertisement, the anonymous finder reports, the owner-only decrypt — and that mechanism is what locates a tag anywhere on Earth, to within “somewhere in this building” accuracy. It is also where Vol 2 stopped: it handed the last few metres to this volume. Ultra-Wideband (UWB) Precision Finding is the radio that takes over once BLE has gotten you close, turning “your keys are in this room” into a distance readout and an on-screen arrow that points you to within a hand’s-width of the tag.

UWB is a completely different radio from BLE — different band (6–8 GHz, not 2.4 GHz), different PHY (impulse radio, not GFSK), different silicon (Apple’s U1/U2, not the nRF52832 of Vol 2), and a fundamentally different measurement: BLE estimates proximity crudely from received-signal-strength (RSSI), while UWB measures distance directly from the time of flight of a radio pulse and direction from the phase difference of that pulse across several antennas. The result is decimetre-class range and a true bearing — geometry, not a signal-strength guess.

What this volume covers, and what it defers. Here: why a second radio exists at all (§2), the impulse-radio physics and the IEEE 802.15.4z HRP channel plan (§3), Apple’s U1/U2 silicon and which devices carry it (§4), two-way ranging for distance (§5), angle-of-arrival for bearing (§6), the end-to-end Precision Finding session and its distance/arrow/haptic UX (§7), how Samsung’s SmartTag UWB compares (§8), and the bench reality — why this radio is, for now, theory-only on Hack Tools gear (§9). Deferred by design: the BLE/Find-My crypto is Vol 2 and is not re-derived here (this volume cross-references it rather than repeating it); the physical U1 package, antennas, and PCB are the AirTag teardown in Vol 5; the operational “press Find, follow the arrow” walk-through is Vol 6; the broader SmartTag/SmartTag2 family head-to-head is Vol 7; and the HackRF “can it even receive this band” question gets its full, gear-specific treatment in Vol 13 and in the HackRF One/ deep dive — §9 here states the conclusion and the physics behind it.

Spec-sourced, from the standard rather than a capture. As of 2026-06-25 there is no AirTag and no UWB-capable phone on the bench, and — unlike the BLE layer of Vol 2 — there is no OpenHaystack-style open reimplementation of the UWB ranging to lean on. Apple has never published a U1 datasheet, and the Precision Finding session protocol above the 802.15.4z PHY is proprietary and largely un-reverse-engineered. So this volume is grounded in the public standard — IEEE 802.15.4/802.15.4z^[IEEE Std 802.15.4z-2020, Enhanced Ultra Wideband (UWB) Physical Layers (PHYs) and Associated Ranging Techniques — the amendment that defines the HRP and LRP UWB PHYs and the two-way / TDoA ranging used by FiRa-class devices. The channel plan, pulse parameters, and ranging-frame structure cited in §3 and §5 are from this standard and the base IEEE Std 802.15.4-2020.] and the FiRa Consortium interop specifications^[FiRa Consortium — the industry body (NXP, Samsung, Apple-adjacent ecosystem, Qorvo and others) standardizing 802.15.4z HRP interoperability for ranging. FiRa’s PHY/MAC and “UWB MAC” technical requirements documents define the interoperable subset of 802.15.4z that consumer UWB devices implement. https://www.firaconsortium.org/] — plus published teardowns that identify the U1 silicon and its antenna count. Where a number is Apple-specific and unpublished (exact U1 antenna count, the session-layer message format, the real-world accuracy Apple targets), this volume gives the standard’s value or the teardown-reported figure and flags it as inference, not a bench measurement. The bench-verification pass — if it ever happens — would need lab UWB gear, not the BLE tools the rest of the series uses (§9).

3.2 Why a second radio

3.2.1 The Precision Finding problem statement

Recall the resolution ladder. The crowdsourced BLE network of Vol 2 answers “where on the map is my tag?” with the GPS fix of whatever stranger’s phone last heard it — accurate to tens of metres, and only as fresh as the last finder to walk past. That gets you to the right building, the right room. It does not get you to the couch cushion, the gap behind the dresser, or the specific bag in a pile of luggage. The last few metres are a different problem, and BLE is structurally bad at solving them.

The naive idea is to use BLE’s own received signal strength: stronger signal = closer tag, walk toward the peak. This is the RSSI-walk technique, and it is exactly what the detection volumes (Vol 12) fall back to because UWB is unavailable to general-purpose gear — but it is a poor instrument. RSSI is a logarithmic, multipath-corrupted, antenna-orientation-dependent proxy for distance: a tag behind a metal radiator can read weaker than one twice as far away in free space, and the readout swings several dB as you rotate the phone in your hand. You can home in on a tag by RSSI with patience, but it is a hot-and-cold game, not a measurement.

Apple’s answer was to add a radio that measures distance physically — by timing a pulse — and direction geometrically — by comparing that pulse’s arrival across multiple antennas. That radio is UWB, and the feature it powers is Precision Finding: when a supported iPhone gets within UWB range of an AirTag, the Find My app drops the map and shows a full-screen distance (“9 ft”), a large directional arrow, and escalating haptics, walking you to the tag the way a metal detector walks you to a coin.

3.2.2 BLE finds the room; UWB finds the hand

The two radios are complementary, not redundant, and they hand off in sequence. BLE is the long-range, always-on, coin-cell-friendly beacon (Vol 2 §2); UWB is the short-range, high-precision, power-hungry burst that only fires during an active find. The division of labour falls straight out of their physics:

   The Find My resolution ladder — two radios, two jobs
   ════════════════════════════════════════════════════

   range        radio / method            answers                accuracy
   ──────       ──────────────            ─────────              ──────────
   km–global    Find My crowd (BLE, V2)   "which city / building" ~10–50 m
                via a stranger's GPS       (when a finder passed)

   ~10–100 m    BLE RSSI proximity        "warmer / colder"       ~metres,
                (your own phone)           (the couch-cushion case) noisy

   ~0.1–10 m    UWB Precision Finding      "9 ft, THAT direction"  ~10 cm +
                (this volume)              distance + bearing       true bearing
                                           ↑ only on U1/U2 iPhone + UWB tag

The crucial property of the bottom rung is that it is not a signal-strength estimate. A UWB range is a measured time; a UWB bearing is a measured phase geometry. Multipath and orientation still perturb them, but the underlying quantity is a physical time-of-flight, not the lossy RSSI proxy. That is why the arrow can confidently say “behind you, 3 feet” where an RSSI heatmap would just shrug.

3.2.3 BLE vs UWB — the capability split

This is the required BLE-versus-UWB comparison. It is the single table to internalize for the rest of the series: it explains both why Precision Finding is so much better than RSSI homing and why the detection half (Vols 11–13) cannot use UWB — the tools that exist see the left column, not the right.

Table 1 — 2.3 BLE vs UWB — the capability split

Dimension	BLE (Vol 2)	UWB (this volume)
Band	2.4 GHz ISM (2402–2480 MHz)	6–8 GHz (ch. 5 ≈ 6.49 GHz, ch. 9 ≈ 7.99 GHz)
PHY	GFSK, 1/2 Mbps, narrowband (~1–2 MHz)	Impulse radio (IR-UWB), 499.2 MHz channel BW
Pulse / symbol	continuous modulated carrier	~2 ns RF pulses, burst-then-idle
What it measures	RSSI (signal strength → crude proximity)	time-of-flight → distance; phase → bearing
Distance accuracy	metres, multipath/orientation-corrupted	~10 cm class
Direction	none (omnidirectional RSSI)	true bearing (multi-antenna AoA)
Range	tens of m (separated-state advert)	~0.1–15 m (line-of-sight, session-only; ≈10 m typical, see §7.4)
Power	~µA average — runs a CR2032 ~1 yr (Vol 2)	mW-class burst — duty-cycled to seconds/find
Always on?	yes (advertises every ~2 s)	no — wakes only for a Precision Finding session
Silicon (AirTag)	nRF52832 (Vol 5)	Apple U1 (Vol 5)
Role	locate globally; “which room”	home in; “which hand”
Visible to owned gear?	yes (Flipper/Marauder/nRF sniffer, Vol 13)	no — no consumer UWB receiver (§9)

The last two rows are the thesis of this volume’s back half. Everything that makes UWB a superb finding radio — the exotic 6–8 GHz band, the impulse waveform, the proprietary session — also makes it invisible to the BLE-class tools on the Hack Tools bench. UWB is the better radio and the unreachable one.

3.3 Impulse-radio UWB and the 802.15.4z HRP PHY

3.3.1 What “ultra-wideband” actually means

“Ultra-wideband” is a regulatory and physical-layer category, not a brand. The FCC’s definition (and the analogous ETSI rules) is a signal whose fractional bandwidth exceeds 20 %, or whose instantaneous bandwidth exceeds 500 MHz, radiated under a strict low-power-spectral-density mask^[FCC 47 CFR Part 15 Subpart F (§15.501–§15.519) governs UWB emission. The defining constraints are a –41.3 dBm/MHz average EIRP spectral-density limit across the 3.1–10.6 GHz band and the 500 MHz / 20 % fractional-bandwidth threshold for what counts as “ultra-wideband.” ETSI EN 302 065 is the European analogue.]. The –41.3 dBm/MHz ceiling is the same spectral-density limit unintentional radiators live under — UWB is, by regulatory design, a whisper spread across an enormous band. That is the whole trick: very little power per hertz, but so many hertz that the time-domain pulse is extraordinarily sharp.

That sharpness is the point. There are two ways to build a wide-bandwidth signal:

Carrier-based wideband (e.g. Wi-Fi’s 80/160 MHz OFDM channels) — a modulated carrier occupying a wide band but still fundamentally a continuous waveform.
Impulse radio (IR-UWB) — transmit literally nothing most of the time, then emit an extremely short RF pulse (on the order of a nanosecond or two). A signal that exists for ~2 ns necessarily occupies hundreds of MHz of bandwidth, because the time-bandwidth product is conserved: a narrow pulse in time is a wide spectrum in frequency.

Apple’s UWB, the 802.15.4z HRP PHY, and FiRa-class ranging all use impulse radio. The waveform is a train of ~2 ns pulses, not a modulated carrier, and that choice is what makes precise timing — and therefore precise ranging — possible (§3.4).

3.3.2 The HRP impulse-radio waveform

IEEE 802.15.4z amends the older 802.15.4 UWB PHY and defines two UWB physical layers. The distinction matters because consumer “find my thing” UWB uses one of them and not the other:

Table 2 — IEEE 802.15.4z amends the older 802.15.4 UWB PHY and defines two UWB physical layers. The distinction matters because consumer "find my thing" UWB uses one of them and not the other

PHY	Name	Pulse / rate	Used by
HRP	High Rate Pulse-repetition-frequency	high PRF (~62–250 MHz, BPRF–HPRF-2), coherent	Apple U1/U2, Samsung SmartTag, FiRa ranging
LRP	Low Rate Pulse-repetition-frequency	low PRF, energy-detection	some access-control / automotive (e.g. car-key) niches

The consumer item-tracker world — AirTag, SmartTag, and the FiRa interop everyone is chasing — is HRP. An HRP packet is built from:

A synchronization header (SHR) — a preamble of repeated ternary preamble-code symbols that lets the receiver lock onto the pulse train and, critically, estimate the precise arrival time of the leading edge of the first pulse. The leading-edge timestamp is the raw material of ranging (§5).
A start-of-frame delimiter (SFD) marking the preamble/data boundary.
A PHY header (PHR) and data payload carrying the ranging-frame contents (who is ranging whom, sequence numbers, and — in the secure mode — the cryptographically randomized timestamp sequence that makes the ranging spoof-resistant, the STS, scrambled timestamp sequence, added by the “z” amendment).

   An 802.15.4z HRP ranging frame (conceptual)
   ═══════════════════════════════════════════

   │◄── SHR preamble ──►│SFD│◄ PHR ►│◄── payload / STS ──►│
   │ ▁▟▙▁▁▟▙▁▁▟▙▁▁▟▙▁▁  │   │       │                     │
   │  ↑ ~2 ns pulses,    │   │       │  ranging info +     │
   │    PRF ~64 MHz      │   │       │  scrambled timestamp│
   │                     │   │       │  sequence (STS, 'z')│
   └─────────────────────┴───┴───────┴─────────────────────┘
        ▲ receiver estimates leading-edge ToA from the preamble
          → this timestamp, differenced across packets, IS the range (§5)

The “z” in 802.15.4z is largely about that STS: pre-802.15.4z UWB ranging could be attacked by an adversary who predicts and replays the pulse timing to forge a shorter distance (a distance-reduction / relay attack — the same class that threatens UWB car keys). The STS randomizes the ranging waveform with a per-session secret so the leading-edge time cannot be forged. For an AirTag the threat model is mild, but the PHY Apple uses is the secured one.

3.3.3 The channel plan — channels 5 and 9

This is the required UWB channel/frequency table, contrasted with BLE and Wi-Fi so the band placement is unambiguous. IEEE 802.15.4 numbers its UWB channels; the two that matter for consumer item-trackers are channel 5 and channel 9, both in the upper UWB sub-band, each 499.2 MHz wide^[Channel centres and bandwidth from IEEE Std 802.15.4-2020 Table 11-2 (UWB PHY channel assignments): ch. 5 = 6489.6 MHz, ch. 9 = 7987.2 MHz, nominal channel bandwidth 499.2 MHz. The 499.2 MHz figure is the canonical HRP channel bandwidth (a 499.2 MHz chipping/pulse-repetition base). FiRa-certified consumer devices, including Apple’s U1, operate on channels 5 and 9.]:

Table 3 — This is the required UWB channel/frequency table, contrasted with BLE and Wi-Fi so the band placement is unambiguous. IEEE 802.15.4 numbers its UWB channels; the two that matter for consumer item-trackers are channel 5 and channel 9, both in the upper UWB sub-band, each 499.2 MHz wide^[Channel centres and bandwidth from IEEE Std 802.15.4-2020 Table 11-2 (UWB PHY channel assignments): ch. 5 = 6489.6 MHz, ch. 9 = 7987.2 MHz, nominal channel bandwidth 499.2 MHz. The 499.2 MHz figure is the canonical HRP channel bandwidth (a 499.2 MHz chipping/pulse-repetition base). FiRa-certified consumer devices, including Apple's U1, operate on channels 5 and 9.]

Standard	Channel	Center freq	Bandwidth	Span (approx)	Modulation
UWB 802.15.4z	5	6489.6 MHz	499.2 MHz	6240–6739 MHz	IR-UWB (HRP)
UWB 802.15.4z	9	7987.2 MHz	499.2 MHz	7738–8237 MHz	IR-UWB (HRP)
BLE	37/38/39 (adv)	2402 / 2426 / 2480 MHz	~1–2 MHz each	within 2400–2483.5	GFSK
Wi-Fi 5 GHz	e.g. 36	5180 MHz	20–160 MHz	5150–5895 (band)	OFDM
Wi-Fi 6E	6 GHz band	5925–7125 MHz	20–320 MHz	(overlaps UWB ch. 5 region)	OFDM

Three things to take from this table:

The usable consumer-UWB span runs roughly 6.24–8.24 GHz — the union of channel 5’s and channel 9’s 499.2 MHz windows. “6.5–8 GHz” (the shorthand Vol 1 used) is a fair loose label, but the precise plan is channel 5 centred at 6489.6 MHz and channel 9 at 7987.2 MHz, each 499.2 MHz wide. Use the exact centres when the math matters (§6.2’s wavelength, §9.2’s HackRF ceiling).
Each UWB channel is ~250× wider than a whole BLE advertising channel — 499.2 MHz versus ~2 MHz. That bandwidth ratio is the entire reason UWB can range to ~10 cm while BLE cannot (§3.4).
Channel 5 brushes against the Wi-Fi 6E band. The lower edge of the 6 GHz Wi-Fi allocation and the channel-5 UWB window are RF neighbours. This is mostly a coexistence footnote — UWB’s spectral density is so low it lives under the noise — but it is also why the exact 6489.6 MHz centre matters: it sits above 6 GHz, which is the cliff a HackRF falls off (§9.2).

3.3.4 Why wide bandwidth buys fine ranging

The reason UWB measures distance well, and BLE cannot, is one equation away. Ranging is timing, and timing resolution is set by bandwidth. A receiver’s ability to pin down the arrival time of a pulse improves as the signal bandwidth grows, because a wider band supports a sharper pulse with a steeper leading edge, and a steeper edge can be timestamped more precisely.

The intuition, with the numbers:

A pulse confined to ~2 ns has, by the time-bandwidth relation, a spectrum ~500 MHz wide — i.e. exactly the 499.2 MHz channel. Conversely, a ~2 MHz BLE channel can only support a pulse no shorter than ~500 ns. The BLE edge is ~250× blurrier in time.
Light travels ≈ 30 cm per nanosecond ($c \approx 3\times10^8$ m/s). So a timing error of 1 ns is a distance error of ~30 cm of path length. A radio that can timestamp to a fraction of a nanosecond can range to decimetres; a radio whose pulse is 500 ns blurry cannot get near that.

A quick figure-of-merit for impulse ranging:

   Bandwidth → time resolution → distance resolution
   ══════════════════════════════════════════════════

   pulse width  τ  ≈  1 / B
   B = 499.2 MHz  ⇒  τ ≈ 2.0 ns         (the ~2 ns UWB pulse)
   B =   2   MHz  ⇒  τ ≈ 500  ns        (a BLE channel)

   path resolution per pulse  ≈ c·τ
   UWB :  c·τ ≈ (3e8 m/s)(2.0e-9 s) ≈ 0.60 m   raw
   BLE :  c·τ ≈ (3e8 m/s)(500e-9 s) ≈ 150  m   raw  ← useless for ranging

   Leading-edge estimation + averaging over the preamble's many
   pulses (PRF ~64 MHz) beats the raw per-pulse figure by ~5–10×,
   delivering Apple's ~10 cm-class Precision Finding accuracy.

Two distinctions an RF engineer will want kept straight:

Resolution vs accuracy. The ~0.60 m above is the raw single-pulse resolution. The accuracy of a UWB range is better than its single-pulse resolution because the HRP preamble contains many pulses (at ~64 MHz PRF), and estimating the leading-edge arrival from the whole preamble — plus super-resolution leading-edge algorithms that separate the direct path from early multipath — averages the timing jitter down. That is how a 499.2 MHz channel yields ~10 cm accuracy rather than 60 cm.
The dominant error in practice is multipath, not thermal jitter. In a cluttered room the first arriving pulse is the line-of-sight path, but reflections arrive nanoseconds later and can smear the leading-edge estimate. UWB’s narrow time pulse is precisely what lets the receiver resolve the direct path from the reflections (they are separated in time by their extra path length), which is why impulse radio beats carrier-based wideband for indoor ranging.

3.3.5 FiRa, the standard, and interop

802.15.4z defines the PHY and the ranging primitives; it does not by itself guarantee that one vendor’s UWB chip can range against another’s. That interop layer is the FiRa Consortium’s job: FiRa specifies the interoperable subset of 802.15.4z HRP — which channels (5 and 9), which preamble codes, which ranging-frame structure, which “controller/controlee” session roles — so that a FiRa-certified phone and a FiRa-certified tag can complete a ranging exchange. Apple, Samsung, NXP, Qorvo and the broader UWB ecosystem participate; FiRa certification is the consumer-UWB analogue of Wi-Fi Alliance certification.

For this series the relevance is twofold. First, it is why Apple’s U1 and Samsung’s NXP-based SmartTag silicon implement recognizably the same PHY and channel plan even though the session layer above is proprietary and non-interoperable (an AirTag will not Precision-Find against a Galaxy phone — §8). Second, it is the reason the PHY is documented at all: the standard and FiRa’s public technical requirements are the authoritative source this volume cites, in the continued absence of any open AirTag-UWB reimplementation.

3.4 Apple’s UWB silicon — U1 and U2

3.4.1 The U1 (2019)

Apple’s first UWB chip is the U1, introduced in the iPhone 11 family in September 2019 — the first consumer UWB radio to ship at phone scale. Apple branded it “U1” and described it only in marketing terms (“spatial awareness,” “like adding another sense”); there is no public datasheet, and what is known about the silicon comes from teardowns and the 802.15.4z/FiRa standards it implements^[The U1 was identified in iPhone 11 teardowns (iFixit, TechInsights, System Plus Consulting) as an Apple-designed UWB die; its support for 802.15.4 channels 5 and 9 and its multi-antenna angle-of-arrival capability are inferred from the standard, FiRa, and Apple’s Precision Finding behavior. Apple publishes no U1 register map or antenna count; figures here are teardown-reported or standard-derived, not from an Apple datasheet.].

What the U1 does, established from behavior and the standard:

Implements the 802.15.4z HRP PHY on channels 5 and 9.
Drives a multi-antenna UWB array in the host iPhone (teardowns report on the order of three UWB antennas — the count needed to measure bearing in two angular dimensions; see §6), enabling angle-of-arrival measurement. This is the U1’s headline capability: it is not just a ranging radio, it is a direction-finding radio.
Performs two-way ranging against a single-antenna responder (the AirTag’s U1) to produce distance.
First appeared in iPhone 11 / 11 Pro (2019), then propagated to Apple Watch Series 6 and later, the HomePod mini, and — the reason it is in this series — the AirTag itself (2021), where it is the responder end of the link (Vol 5 teardown).

The AirTag and the iPhone carry the same family of UWB silicon but play opposite roles: the iPhone’s U1 is the initiator/anchor with the antenna array that computes range and bearing; the AirTag’s U1 is the responder/tag with a single antenna that simply replies to the ranging frames. All the geometry (§5, §6) is computed on the phone.

3.4.2 The U2 (2023)

The U2 debuted in 2023 with the iPhone 15 family and the Apple Watch Series 9 / Ultra 2. Apple’s stated improvements are longer range (roughly up to ~3× the line-of-sight find distance of the U1, per Apple’s Precision Finding marketing) and lower power, in a physically smaller package — an evolution, not a new modality. The U2 still implements the same 802.15.4z HRP channel-5/9 plan and the same two-way-ranging + angle-of-arrival approach; it is not a new protocol, and a U2 iPhone Precision-Finds a (U1-equipped) AirTag exactly as a U1 iPhone does, just farther and on less battery.

The practical consequence for the reader: U1 and U2 are interchangeable from the AirTag’s point of view. The tag’s U1 responder talks to whichever generation of UWB silicon the phone carries. There is no “U2 AirTag” needed to benefit from a U2 phone’s longer range — the improvement is on the phone side. (Whether a future AirTag adopts U2-class silicon is a Vol 5 / Vol 7 question; as of this writing the shipping AirTag carries a U1.)

[FIGURE SLOT — Vol 3, § 4.2] A die shot or package photo of an Apple U1 UWB chip (or, failing that, a clear photo of a UWB antenna array / a generic 802.15.4z UWB module such as a Qorvo/Decawave DWM3000 — the same HRP impulse-radio class). The goal is to put a face on the radio: this is the silicon that emits the ~2 ns pulses and runs the ranging session. A generic FiRa/Qorvo UWB module keeps the figure license-clean if no U1 die shot is available. Source: Photo Helper Commons/Openverse search “UWB module DW3000” / “ultra-wideband antenna” (generic component class — CC-licensed), or a published U1 teardown die shot credited to its source (TechInsights / iFixit) marked reference-only. Caption when filled: “Figure 3.1 — A FiRa-class 802.15.4z HRP UWB module, the radio class of Apple’s U1/U2 (the AirTag carries a U1 responder; the iPhone a U1/U2 with a multi-antenna array). Photo: . .“

3.4.3 The device-support matrix

This is the required device-UWB-support matrix. Precision Finding requires UWB on both ends — a UWB tag and a UWB-equipped phone running the right OS. The asymmetry to remember: an iPhone older than the 11 can still use an AirTag (pair it, ring it, see it on the Find My map, get “play sound”) — it simply falls back to BLE proximity and shows no arrow, because it has no U1/U2 to range with.

Table 4 — 4.3 The device-support matrix

Device	UWB chip	Precision Finding?	Notes
iPhone 11 / 11 Pro (2019)	U1	Yes	First UWB iPhone — the floor for Precision Finding
iPhone 12 / 13 / 14	U1	Yes	U1 across the line
iPhone 15 / 16 family (2023+)	U2	Yes	Longer range, lower power (§4.2)
iPhone XS / XR / SE and older	none	No	BLE only → ring + map, no arrow
iPhone SE (all gens)	none	No	No UWB in any SE → BLE fallback
Apple Watch S6 / S7 / S8	U1	(device-find)	UWB for device-to-device finding; AirTag arrow is iPhone-side
Apple Watch S9 / Ultra 2 (2023+)	U2	(device-find)	“Precision Finding for iPhone” device-to-device
HomePod mini / HomePod (2nd gen)	U1	(handoff)	UWB for handoff, not AirTag arrow
Apple AirTag	U1 (responder)	n/a (it’s the tag)	Single UWB antenna; the responder end
Samsung Galaxy S21+/Ultra, S22/S23/S24 Ultra, Z Fold	UWB (NXP)	Galaxy-side	Ranges SmartTag+/SmartTag2, not AirTag (§8)
Samsung Galaxy A-series, base S-series	none	No	SmartTag falls back to BLE
Google Pixel, most Android	none (mostly)	No	A few flagships have UWB but no AirTag PF path

The structural rule: Precision Finding is an iPhone-11-and-later capability, locked to the Apple ecosystem at both ends, and entirely BLE-fallback on anything without a U-series chip. Samsung has a parallel UWB capability locked to its own ecosystem (§8). The “which phone does what” picture across all features — register, locate, be-found-by, detect — is its own volume (Vol 9); this matrix is just the UWB-Precision-Finding slice of it.

3.5 Two-way ranging — distance from time-of-flight

3.5.1 The clock-offset problem

The obvious way to measure distance with a radio pulse is one-way: the tag stamps “I transmitted at $t_\text{tx}$,” the phone notes “I received at $t_\text{rx}$,” and the distance is $c \cdot (t_\text{rx} - t_\text{tx})$. This fails for a fatal practical reason: the two devices do not share a clock. Their oscillators are independent, offset by an unknown amount, and drifting relative to each other. An unknown clock offset of even 1 ns corrupts the range by 30 cm; the offsets between two free-running crystals are vastly larger than that. One-way time-of-flight needs synchronized clocks the tag and phone do not have.

Two-way ranging (TWR) sidesteps the problem entirely by measuring a round trip on a single clock. The initiator (the phone) measures the total elapsed time from “I sent the poll” to “I received the response,” using only its own clock for both timestamps — so its clock offset cancels. The responder (the tag) reports how long it held the packet before replying (its turnaround/processing delay), and the initiator subtracts that. What remains is twice the one-way flight time. No shared clock is required; each side times intervals on its own oscillator.

3.5.2 Two-way ranging geometry

This is the required two-way-ranging time-of-flight diagram. The initiator is the iPhone’s U1/U2; the responder is the AirTag’s U1. Time runs downward; the diagonal arrows are the pulses crossing the gap at the speed of light.

   Single-sided two-way ranging (SS-TWR) — the time-of-flight geometry
   ═══════════════════════════════════════════════════════════════════

   iPhone (initiator)                         AirTag (responder)
   U1/U2 + antenna array                      U1 + single antenna
        │                                            │
   t1 ──┤ transmit POLL  ──────────╲                 │
        │                  pulse     ╲  T_prop        │
        │                  in flight   ╲              │
        │                                ╲──────────► ├── receive POLL
        │                                             │
        │                                             │  T_reply
        │                                             │  (known turnaround
        │                                             │   delay, reported)
        │                                ╔──────────  ├── transmit RESPONSE
        │                  pulse       ╱               │
        │                  in flight ╱  T_prop         │
   t4 ──┤ receive RESPONSE ◄───────╱                  │
        │                                            │
        ▼ time                                       ▼

   Measured by the initiator on ITS OWN clock:   T_round = t4 − t1
   Reported by the responder:                    T_reply (its hold time)

        T_prop = ( T_round − T_reply ) / 2          ← one-way flight time
        distance d = c · T_prop                     ← c ≈ 0.30 m / ns

   Worked: d = 3 m ⇒ T_prop = 10 ns ⇒ a 6 m round trip = 20 ns of flight,
   buried inside a T_reply that may be hundreds of µs — hence the clock-
   offset / drift care of §5.3.

The arithmetic is exactly the round-trip-minus-turnaround-over-two of the brief: $T_\text{prop} = (T_\text{round} - T_\text{reply})/2$, and $d = c\cdot T_\text{prop}$. Everything subtle is in measuring $T_\text{round}$ and $T_\text{reply}$ precisely enough — because the flight time (tens of nanoseconds for a few metres) is a tiny sliver of the total round trip (the responder’s turnaround delay is typically much larger than the flight time), so small fractional errors in the large numbers swamp the small one.

3.5.3 Single-sided versus double-sided TWR

The simple scheme above (§5.2) is single-sided TWR (SS-TWR): one poll, one response, one subtraction. Its weakness is clock-frequency offset. The initiator measures $T_\text{round}$ on its clock and the responder measures $T_\text{reply}$ on its clock; if the two crystals run at slightly different rates (tens of ppm is normal), the subtraction $T_\text{round} - T_\text{reply}$ carries a residual error proportional to the (large) $T_\text{reply}$ and the frequency offset. For a long turnaround that residual can dwarf the flight time.

Double-sided TWR (DS-TWR) fixes it with a third message: poll → response → final, so that both sides measure a round trip and the two are combined in a way that cancels the clock-frequency offset to first order. DS-TWR is the standard high-accuracy mode and is what 802.15.4z and FiRa specify for precision ranging; it trades one extra packet for an order-of-magnitude reduction in clock-drift error.

Table 5 — 5.3 Single-sided versus double-sided TWR

Scheme	Messages	Cancels clock offset?	Cancels clock drift?	Use
One-way ToF	1	No (needs shared clock)	No	not usable here
SS-TWR	2 (poll, response)	Yes (single clock per round)	No — drift residual	quick / coarse
DS-TWR	3 (poll, response, final)	Yes	Yes (to first order)	precision ranging (FiRa)

For an AirTag Precision Finding session the phone runs many ranging exchanges per second; the per-exchange range is then filtered over time and fused with the AoA bearing (§6) and the phone’s own motion (its IMU) to produce the smooth distance readout the UX shows. A single range is a noisy ~10 cm estimate; the displayed “9 ft” is a filtered track.

3.5.4 From a timestamp to ten centimetres

Stacking the pieces: the HRP preamble (§3.2) lets the U1 timestamp a pulse’s leading edge to a fraction of a nanosecond; TWR (§5.2) turns two such timestamps into a one-way flight time without a shared clock; DS-TWR (§5.3) removes the crystal-drift error; the wide 499.2 MHz channel (§3.4) makes the leading edge sharp enough to resolve the direct path from multipath. The product is a distance good to ~10 cm under line-of-sight, degrading gracefully (to tens of cm) through clutter and around corners.

   The ranging accuracy stack
   ══════════════════════════

   499.2 MHz channel  ─► ~2 ns pulse ─► sharp leading edge
            │                                    │
            ▼                                    ▼
   leading-edge ToA estimate (sub-ns)   resolves LOS from multipath
            │
            ▼
   DS-TWR  ─► flight time, clock-offset + drift removed
            │
            ▼
   per-exchange range ≈ ±10 cm  ─► filtered over many exchanges/s
            │                       + fused with AoA (§6) + phone IMU
            ▼
   displayed distance:  "9 ft", updating smoothly  (Vol 6 UX)

This is the quantitative payoff of the whole UWB apparatus, and the contrast with BLE RSSI (§2.1) is total: BLE estimates a signal level and infers proximity; UWB measures a time and computes distance. One is a guess that fights multipath; the other is a measurement that uses the multipath structure (the time-separated reflections) to find the direct path.

3.6 Angle-of-arrival — bearing from antenna phase

Distance alone gets you a radius — “the tag is 3 m away, somewhere on a sphere.” The arrow needs direction, and that is the U1’s second, distinct measurement: angle-of-arrival (AoA), computed from the phase (equivalently, the sub-nanosecond time) difference of the same pulse arriving at the phone’s several antennas.

3.6.1 The asymmetric antenna picture

The two ends of the link are deliberately asymmetric, and this is the key architectural fact:

The AirTag has a single UWB antenna. It is the responder; it transmits and receives ranging pulses from one antenna and measures no angle. It does not know, and does not need to know, where the phone is.
The iPhone has a multi-antenna UWB array (teardown-reported on the order of three antennas — see §4.1). Because the same incoming pulse reaches each antenna at a slightly different time (and therefore a slightly different RF phase), the phone can solve for the direction the pulse came from. Two antennas give one angular dimension (azimuth); a third, non-collinear antenna adds the second (elevation), so the phone can place the tag’s bearing in 2-D, which is what lets the arrow point up/down as well as left/right.

So Precision Finding = the iPhone computes both range (TWR, §5) and bearing (AoA, this section); the AirTag just answers. All the geometry lives on the phone. The tag is a cooperative single-antenna reflector with a clock.

3.6.2 Phase-difference-of-arrival geometry

This is the required angle-of-arrival phase-difference diagram. A plane wave from a distant tag arrives at the phone’s two antennas (spacing $d$) along parallel rays; the ray to the farther antenna travels an extra path $\Delta = d\sin\theta$, which shows up as a measurable phase difference $\Delta\varphi$ between the two antennas.

   Angle-of-arrival from phase-difference (two antennas, one baseline)
   ═══════════════════════════════════════════════════════════════════

            incoming UWB wavefront from the tag (plane wave)
              ╲      ╲      ╲      ╲      ╲      ╲   (arrives at angle θ
               ╲      ╲      ╲      ╲      ╲      ╲   off boresight)
                ╲      ╲      ╲      ╲      ╲      ╲
                 ╲      ╲      ╲      ╲      ╲      ╲
        ─────────A1══════════════════════A2─────────  phone antenna array
                  │◄──────── d ────────►│             (spacing d)
                  │                  ╱                 extra path to A2:
                  │              ╱   Δ = d·sinθ        Δ = d · sin θ
                  └──────────╱

        phase difference measured between A1 and A2:

              Δφ = (2π / λ) · d · sin θ

        solve for the bearing:

              θ = arcsin(  Δφ · λ / (2π · d)  )

        with λ = c / f :   f = 6489.6 MHz (ch.5) ⇒ λ ≈ 4.62 cm
                           f = 7987.2 MHz (ch.9) ⇒ λ ≈ 3.75 cm

        choose d ≈ λ/2 (~2 cm) so |Δφ| ≤ π over θ ∈ [−90°,+90°]
        → no phase ambiguity across the full forward hemisphere

The wavelength numbers are worth carrying: at channel 5’s 6489.6 MHz centre, $\lambda = c/f \approx 4.62$ cm; at channel 9’s 7987.2 MHz, $\lambda \approx 3.75$ cm. To measure $\theta$ unambiguously over the forward hemisphere the antenna spacing $d$ should be about $\lambda/2$ (~2 cm) — any wider and a given $\Delta\varphi$ maps to more than one angle (spatial aliasing); any narrower and the phase difference gets small and noise-dominated. That ~2 cm spacing is comfortably inside an iPhone chassis, which is part of why phone-scale AoA is feasible at these frequencies but would be awkward at 2.4 GHz (where $\lambda \approx 12.5$ cm and $\lambda/2 \approx 6$ cm).

3.6.3 From phase to a pointing angle — and its limits

The phone measures $\Delta\varphi$ on each antenna baseline, solves the $\theta = \arcsin(\Delta\varphi,\lambda / 2\pi d)$ relation for each, and combines the per-baseline angles into a 2-D bearing. Fused with the TWR range (§5) and the phone’s IMU (which knows how the phone is being held and waved), the result is a vector to the tag that the UX renders as the arrow.

The honest limitations an RF engineer will anticipate, all real:

Forward-hemisphere ambiguity. A single baseline cannot distinguish front from back (both give the same $\Delta\varphi$ sign structure). The multi-antenna geometry plus the user’s motion resolves it — Precision Finding asks you to move the phone partly so it can disambiguate and converge, not only to close distance.
Multipath corrupts phase. A reflection arriving with the direct path skews the measured $\Delta\varphi$. UWB’s time resolution (§3.4) helps the receiver weight the first (line-of-sight) arrival, but in a hard-multipath environment (a metal-walled room, a car) the bearing degrades — the arrow gets jittery or wrong, and the UX leans harder on distance + “keep moving.”
It is short-range and line-of-sight-favouring. AoA needs enough SNR on every antenna; through a wall or across a large room the angle estimate falls apart before the range does. This is why Precision Finding only engages in the last few metres (§7.4), after BLE has done the long-haul work.
Bearing accuracy is degrees, not arc-seconds. Real consumer UWB AoA is good to roughly ±10–25° in favourable conditions — enough to point a person at a tag a few metres away, not a surveying instrument. The UX is forgiving because a human closing on a target corrects continuously.

3.7 The Precision Finding session and its UX

3.7.1 The BLE-to-UWB handoff

UWB does not run continuously — it cannot, on a CR2032 (Vol 1 §2.3, Vol 2 §2.1). The AirTag’s U1 is asleep almost always and is woken, on demand, via BLE. The sequence that starts a Precision Finding session:

The owner taps Find / Find Nearby in the Find My app on a U1/U2 iPhone.
The phone is already hearing the tag’s BLE advertisement (Vol 2) — that is how it knows the tag is in BLE range. Over BLE it signals the tag (in the paired/owner-present state, the tag can present a connectable interface — the state machine is Vol 4) to wake its UWB radio and begin a ranging session.
Both U1s now run the 802.15.4z HRP ranging exchange (§5) on channel 5/9, many times a second, while the phone simultaneously measures AoA (§6).
When the session ends (tag found, or user backs out, or range lost), the UWB radio sleeps again and the tag returns to pure BLE advertising.

This BLE-wakes-UWB handoff is why UWB is only ever active during an active find — seconds at a time, owner-initiated — and contributes negligibly to the tag’s ~1-year battery. It is also why a hidden/unwanted tag is not emitting UWB for a victim to detect: a separated tag with no owner running a session is BLE-only on the air (the detection consequence, §9.4 and Vol 12).

3.7.2 The ranging session, step by step

   A Precision Finding session — control + data flow
   ═════════════════════════════════════════════════

   iPhone (U1/U2)                              AirTag (U1)
   ──────────────                              ──────────
   [hears BLE advert (V2)]  ──── BLE ────►  [advertising, UWB asleep]
   user taps "Find Nearby"
   [BLE: start ranging] ─────── BLE ──────►  [wake UWB radio]
        │                                          │
        │   ┌───── 802.15.4z HRP, ch.5/9 ─────┐    │
        ├──►│ POLL  ───────────────────────►  │───►│ (responder)
        │   │ RESPONSE ◄───────────────────── │◄───│
        ├──►│ FINAL ───────────────────────►  │───►│  (DS-TWR, §5.3)
        │   └──────────────────────────────────┘   │
        │   measure: T_round, T_reply → range (§5)  │
        │   measure: Δφ across antenna array → AoA (§6)
        │   fuse: range + bearing + IMU             │
        ▼                                          │
   render distance + arrow + haptics (§7.3)   [reply only; computes nothing]
        │                                          │
   ... repeats many ×/s until found ...            │
   [BLE: end session] ───────── BLE ──────►  [UWB back to sleep]

Note what the tag does not do: it never computes a distance, never computes an angle, never knows where the phone is. It is a cooperative responder with a precise clock and one antenna. The entire spatial computation is the phone’s, which is exactly why an AirTag can be a $29 coin-cell device while the expensive multi-antenna AoA silicon lives in the phone you already own.

3.7.3 Distance, arrow, haptics, sound

The UX is the payoff and the part most readers have seen. On a supported iPhone, once a session is ranging, Find My replaces the map with the Precision Finding screen:

Table 6 — The UX is the payoff and the part most readers have seen. On a supported iPhone, once a session is ranging, Find My replaces the map with the Precision Finding screen

Channel	What it conveys	Driven by
Distance text	”9 ft”, “3 ft”, counting down	TWR range (§5), filtered
Directional arrow	large arrow pointing toward the tag	AoA bearing (§6) + IMU
Color / fill	screen greens / fills as you close	range thresholds
Haptics	taps that quicken as you near	range thresholds (Taptic Engine)
Sound	optional escalating tone; “play sound” rings the tag’s speaker	range + tag speaker (Vol 5)
“Here” state	haptic/visual confirmation at arm’s reach	range below ~ a few cm

The design intent is eyes-optional homing: the haptics and sound let you find a tag with the phone in a pocket or in the dark, the same way a metal detector’s tone rises as you close. The arrow handles “which way”; the distance and haptics handle “how close”; the tag’s own speaker handles the final “it’s right here, under the cushion.” All of this is the operational subject of Vol 6 — here it is shown to make the point that the rich UX is a rendering of two physical measurements, range and bearing, and nothing more.

Precision Finding is an iPhone-and-AirTag-ecosystem feature, end to end. Both ends need Apple UWB silicon (iPhone 11+ with U1/U2; AirTag’s U1), and the session protocol above the 802.15.4z PHY is Apple-proprietary. An older iPhone, an Android phone, or any non-Apple UWB device gets none of the arrow/haptic experience from an AirTag — it falls back to BLE “play sound” and the map. Conversely a Samsung SmartTag’s UWB ranging is locked to Galaxy phones (§8). UWB ranging interoperates at the FiRa PHY level (§3.5) but the finding experience does not cross ecosystems.

3.7.4 The range and accuracy envelope

Rough, spec-and-behavior-sourced numbers for the envelope (not bench-measured — flagged accordingly):

Table 7 — Rough, spec-and-behavior-sourced numbers for the envelope (not bench-measured — flagged accordingly)

Quantity	U1 (iPhone 11–14)	U2 (iPhone 15+)	Source basis
UWB engage range (LOS)	~ up to a few m (Apple cites finding from “across the room”); roughly 5–15 m practical	up to ~3× the U1 (Apple)	Apple PF marketing; inference
Distance accuracy	~10 cm class	~10 cm class	802.15.4z + §3.4
Bearing accuracy	~±10–25° (favourable)	similar	AoA limits §6.3
Update rate	many ranging exchanges/s (smooth track)	similar	session behavior
Active power	mW-class burst, session-only	lower than U1	§4.2; CR2032 budget

The envelope is the reason for the two-radio ladder (§2.2): UWB’s range is short — metres, line-of-sight-favouring — so it cannot be the finding network; it is purely the terminal-homing stage after BLE/Find-My has gotten the phone into the same small space as the tag. Outside that last-few-metres bubble there is no UWB link at all, just BLE.

3.8 Other UWB tags — Samsung SmartTag

3.8.1 SmartTag+ / SmartTag2 and NXP silicon

Apple is not the only consumer item-tracker with UWB. Samsung ships UWB ranging in two of its Galaxy SmartTag models:

Galaxy SmartTag+ (2021) — Samsung’s first UWB tag, the direct SmartTag-line analogue of the AirTag’s Precision Finding.
Galaxy SmartTag2 (2023) — the current generation, with UWB plus longer battery life and a refreshed design.

The UWB silicon here is NXP’s (NXP’s SR100T / SR040-class 802.15.4z HRP UWB), not an Apple part — Samsung is an NXP-and-FiRa-ecosystem player rather than a vertically-integrated one like Apple^[Samsung Galaxy SmartTag+ and SmartTag2 use NXP UWB silicon (the SR100T/SR040 family) implementing 802.15.4z HRP; the ranging works against UWB-equipped Galaxy flagships via Samsung’s SmartThings Find “AR Finding.” The chip identification is from Samsung/NXP product material and teardowns; exact part numbers vary by model/region.]. It implements the same 802.15.4z HRP channel-5/9 PHY (§3) — that is the FiRa interop point — and provides Samsung’s equivalent of Precision Finding, branded “AR Finding” in SmartThings Find, where the phone overlays a directional arrow on the camera view.

The ecosystem lock is the mirror image of Apple’s. SmartTag UWB ranges only against UWB-equipped Galaxy phones — the S21+/Ultra, S22/S23/S24 Ultra, Z Fold line and similar flagships (§4.3 matrix). A base-model Galaxy without UWB, and any non-Samsung phone, falls back to BLE proximity for a SmartTag exactly as an old iPhone does for an AirTag. And an AirTag and a Galaxy phone do not Precision-Find each other at all: the PHY interoperates, the session and the network do not (Vol 1 §3, Vol 9). The full SmartTag/SmartTag2-versus-AirTag head-to-head — networks, battery, button features, region — is Vol 7; here the point is narrowly that Samsung is the one other ecosystem with true UWB finding, on NXP silicon, locked to Galaxy.

3.8.2 UWB versus no-UWB finding

The rest of the tracker market has no UWB at all. Tile (all models), Chipolo (ONE/CARD/POINT), Pebblebee (Clip/Tag/Card), and the third-party Google-network tags are BLE-only: they have no second radio, no time-of-flight ranging, and no angle-of-arrival. Their “find it nearby” experience is the RSSI-warmer/colder game of §2.1, dressed up — a proximity bar and the tag’s own speaker, with no distance number and no arrow. This is the practical UWB-vs-no-UWB contrast the brief asks for, and it is stark:

Table 8 — The rest of the tracker market has no UWB at all. Tile (all models), Chipolo (ONE/CARD/POINT), Pebblebee (Clip/Tag/Card), and the third-party Google-network tags are BLE-only: they have no second radio, no time-of-flight ranging, and no angle-of-arrival. Their "find it nearby" experience is the RSSI-warmer/colder game of §2.1, dressed up — a proximity bar and the tag's own speaker, with no distance number and no arrow. This is the practical UWB-vs-no-UWB contrast the brief asks for, and it is stark

Finding experience	UWB tags (AirTag, SmartTag+/2)	BLE-only tags (Tile, Chipolo, Pebblebee)
Distance readout	Yes — “9 ft”, decimetre-class	No — proximity bar / “near”, RSSI-derived
Directional arrow	Yes — true bearing (AoA)	No — omnidirectional, no direction
Underlying measurement	time-of-flight + phase geometry	signal strength (RSSI) only
Last-metre precision	~10 cm, points to the spot	”somewhere close,” hunt by ear/RSSI
Required phone	U1/U2 iPhone (Apple) / UWB Galaxy (Samsung)	any phone with the app/OS
Tag cost driver	adds a UWB chip + antenna (Vol 5)	BLE SoC only — cheaper, simpler
Fallback when unsupported	BLE proximity + ring (same as below)	(this is the only mode)

The takeaway for a buyer (Vol 1’s decision tree) and for the detection half alike: UWB is the feature that makes “find it in the room” precise, and only two ecosystems have it — Apple (U1/U2, iPhone) and Samsung (NXP, Galaxy). Everyone else rings a speaker and shows a warmer/colder bar. For the counter-surveillance reader the conclusion is the same from the other direction: since UWB only fires during an owner-initiated session and only on these ecosystems, the radio you can actually detect a hidden tag by is always BLE, never UWB (§9.4).

3.9 Why UWB is theory-only on the bench

This is the chapter the Hack Tools reader came for, and the answer is blunt: none of the gear in this hub — or anywhere in the consumer/hobbyist price class — can usefully receive, let alone decode, 802.15.4z HRP UWB ranging. UWB is, for the bench, a theory chapter. Here is precisely why.

3.9.1 There is no consumer UWB sniffer

The BLE layer of Vol 2 is reachable because BLE sniffing is a solved, cheap, commodity problem: a $10 nRF52840 dongle, a Flipper, an ESP32 Marauder module, or btmon on any Linux box captures advertising PDUs, and OpenHaystack documents every Find My byte (Vol 2, Vol 13). UWB has no equivalent. There is no $30 “UWB Connect” dongle, no Wireshark UWB-ranging dissector that runs on hobby hardware, and no open reimplementation of the AirTag’s UWB session the way OpenHaystack reimplements its BLE side. The reasons compound:

The PHY is exotic and fast. Decoding ~2 ns impulse-radio pulses across a 499.2 MHz channel needs gigasample-per-second capture and impulse-radio-aware processing — not the kind of thing a $300 SDR does at the wave level.
The session is proprietary and secured. Even with the raw pulses, the Precision Finding ranging session above the 802.15.4z PHY is undocumented, and the secure ranging mode randomizes the timestamp waveform (the STS, §3.2). There is no public spec and no community decoder.
It is a research effort, not a workflow. Academic and security-research groups have studied 802.15.4z UWB (especially distance-reduction attacks on UWB car keys) using lab UWB radios and development kits (Qorvo/Decawave DW3000-class modules, vector signal analyzers). That is a research bench, not a tag-hunting field tool, and even those efforts target the standard ranging, not Apple’s proprietary session.

So unlike BLE, there is no path from “owned Hack Tools gear” to “watch the UWB ranging.” The detection half of this series (Vols 11–13) is BLE-only by necessity, and that is not a gap to be closed with a firmware update — it is a hardware-and-protocol wall.

3.9.2 The HackRF 6 GHz ceiling

The one piece of owned-class gear that even gestures at these frequencies is a wideband SDR, and the canonical example is the HackRF One. It is worth being exact about why it still does not work, because it is a clean RF-spec argument the reader can verify.

The HackRF One’s RF front end tops out at 6 GHz. Its tuner (the MAX2837 / RFFC5072 mixer chain) covers roughly 1 MHz – 6 GHz. Now place that against the UWB channel plan from §3.3:

   HackRF tuning ceiling vs the UWB channel plan
   ═════════════════════════════════════════════

   freq →   6.0 GHz        6.49 GHz                 7.99 GHz
            │               │                        │
   HackRF   ├───────────────┤                        
   coverage │  ...up to 6.0 │ ✗ cannot tune here ✗   ✗
            ┤   GHz ceiling  │                        │
                            ▼                        ▼
   UWB                  ┌────────┐              ┌────────┐
   channels             │  ch 5  │              │  ch 9  │
                     6240│ 6489.6 │6739      7738│ 7987.2 │8237  MHz
                        └────────┘              └────────┘
                         ▲ centre 490 MHz ABOVE the HackRF ceiling
                         ▲ even ch.5's LOWER edge (6240 MHz) is > 6 GHz

   Result: a HackRF cannot tune to EITHER UWB channel. The entire
   6.24–8.24 GHz consumer-UWB span lies above its 6 GHz hard ceiling.

Channel 5 is centred at 6489.6 MHz — about 490 MHz above the HackRF’s 6 GHz ceiling — and even channel 5’s lower band edge (~6240 MHz) is already above 6 GHz. Channel 9 (7987.2 MHz) is wildly out of reach. So the HackRF cannot tune to either consumer-UWB channel; at best it sees the extreme lowest band-edge of the UWB mask marginally, far below the channel centres, which is useless for capturing a ranging packet. The HackRF’s 6 GHz ceiling rules out practical UWB receive, full stop.

The regulatory/why-HackRF-can’t note — keep this with the channel plan. Consumer UWB lives at 6.24–8.24 GHz (802.15.4z channels 5 @ 6489.6 MHz and 9 @ 7987.2 MHz, 499.2 MHz each), radiated under the FCC Part 15 / ETSI EN 302 065 –41.3 dBm/MHz spectral-density mask — a deliberately faint, ultra-wide whisper. A HackRF One’s front end stops at 6 GHz, below channel 5’s centre, so it physically cannot receive these channels (only a marginal sliver of the lowest band edge). That, plus the absence of any consumer UWB sniffer or open ranging decoder (§9.1), is why UWB is theory-only on this bench. Vol 13 and the HackRF One/ deep dive reiterate this same 6 GHz-ceiling caveat — the two agree: UWB receive is off the table for owned gear, and BLE is the only practical detection surface (§9.4, Vol 12). Even a hypothetical SDR that could tune to 6.5–8 GHz would still face the gigasample capture and proprietary-session walls of §9.1.

3.9.3 What real UWB capture would take

For completeness — the order-of-magnitude shopping list that would let someone observe 802.15.4z ranging, to make concrete how far outside the hobby bench it sits:

Table 9 — For completeness — the order-of-magnitude shopping list that would let someone observe 802.15.4z ranging, to make concrete how far outside the hobby bench it sits

Need	Hobby/owned gear	What it would actually take
Tune to 6.49 / 7.99 GHz	HackRF (6 GHz ceiling — no)	SDR/front-end reaching 8+ GHz (e.g. high-end USRP + ext. mixer)
Capture a 499.2 MHz channel	~20 MHz BLE-class capture	≥500 MHz instantaneous bandwidth digitizer (GS/s ADC)
See ~2 ns pulses at the wave level	not feasible	impulse-radio-aware DSP / a real-time scope or VSA
Speak/decode 802.15.4z ranging	none	a UWB dev kit (Qorvo DW3000-class) — and even then, the standard ranging, not Apple’s proprietary session
Decode the Precision Finding session	none, none exists	reverse-engineering effort; not publicly done

Every row is either lab-grade instrumentation or unsolved research. None of it is “add a module to the Flipper.” This is the cleanest example in the whole series of a protocol that is fully understood in theory (the PHY is an open IEEE standard) and yet completely out of reach in practice for the gear the rest of these volumes are built around.

3.9.4 So detection stays on BLE

Closing the loop to the counter-surveillance half: because UWB only fires during an owner-initiated Precision Finding session (§7.1) and only between matched-ecosystem devices (§7.3, §8), a hidden or unwanted tag separated from its owner is not emitting UWB at all — it is BLE-only on the air (the separated-state advert of Vol 2, with the anti-stalking behavior of Vol 4). There is therefore nothing for a victim’s detector to gain from UWB even if the hardware existed: the tag’s findable, persistent signal is its BLE advertisement, and that is exactly the signal the detectors and owned gear can see (Vol 1 §5, Vol 11, Vol 12, Vol 13). UWB is the owner’s terminal-homing luxury; BLE is the detection surface, and the two never trade places. This is why the UWB chapter, fascinating as the radio is, is parked in research-only territory for the bench and the detection workflows live entirely on BLE.

3.10 Cheatsheet updates

This volume’s contributions to the Vol 15 laminate-ready cheatsheet — the UWB facts to carry without re-reading:

Two radios, two jobs. BLE/Find-My (Vol 2) locates a tag globally to “which room” (RSSI, ~metres, noisy); UWB Precision Finding homes the last few metres with a distance + arrow + haptics to ~10 cm + true bearing. UWB takes over once BLE has gotten you close.
UWB is impulse radio. IEEE 802.15.4z HRP (FiRa-aligned), ~2 ns RF pulses across a 499.2 MHz channel — not a modulated carrier. Wide band ⇒ sharp pulse ⇒ precise timing ⇒ precise range.
The channel plan. Channel 5 = 6489.6 MHz, channel 9 = 7987.2 MHz, each 499.2 MHz wide; usable span ≈ 6.24–8.24 GHz. (“6.5–8 GHz” is loose shorthand.)
Distance = two-way ranging. $T_\text{prop} = (T_\text{round} - T_\text{reply})/2$, $d = c\cdot T_\text{prop}$ ($c\approx 0.30$ m/ns). DS-TWR (3 messages) cancels clock offset and drift. No shared clock needed. ⇒ ~10 cm.
Direction = angle-of-arrival. The iPhone has a multi-antenna UWB array (≈3 antennas); the AirTag has one antenna and just responds. Phase difference $\Delta\varphi = (2\pi/\lambda),d\sin\theta$ → bearing. λ ≈ 4.62 cm (ch.5) / 3.75 cm (ch.9); spacing ~λ/2 ~ 2 cm. The phone computes range+bearing; the tag computes nothing.
Apple silicon: U1 then U2. U1 — iPhone 11 (2019), Watch S6+, HomePod mini, and the AirTag (as responder). U2 — iPhone 15 / Watch S9 (2023), ~3× range, lower power. Same PHY; the AirTag’s U1 talks to either.
Precision Finding needs iPhone 11+. No U1/U2 (iPhone X/XR/XS/SE and older) ⇒ no arrow, BLE fallback (ring + map) only.
Samsung is the only other UWB. SmartTag+ / SmartTag2 use NXP 802.15.4z UWB, range only against UWB Galaxy flagships (“AR Finding”). Tile / Chipolo / Pebblebee = BLE-only, no UWB — warmer/colder bar, no distance, no arrow. UWB ≠ cross-ecosystem.
UWB is theory-only on the bench. No consumer UWB sniffer; no open ranging decoder; the session is proprietary + secured (STS). It is a research effort, not a workflow.
HackRF can’t reach it. The HackRF One stops at 6 GHz, below channel 5’s 6489.6 MHz centre (and below its 6240 MHz lower edge), so it cannot receive either UWB channel. (Same caveat in Vol 13 / the HackRF One/ deep dive.)
Detection lives on BLE. A separated/unwanted tag emits no UWB (UWB fires only in an owner session). The findable signal is always the BLE advertisement — so all detection (Vols 11–13) keys on BLE, never UWB.

This is Volume 3 of a fifteen-volume series. Next: Vol 4 (Theory III — NFC, Lost Mode, and the separated-state / anti-stalking beaconing behavior) closes the theory half and is the literal bridge into the detection half — the NFC tap that reads a found tag’s serial and the owner’s last-4 digits, the separated-state advertising changes, and the DULT unwanted-tracking sound/alert timing that every detector in Vols 11–13 hangs off. With BLE (Vol 2) and UWB (this volume) understood, Vol 4 explains the third interface and the behavior that turns a tracker into something you can catch.

AirTags Volume 3 — Theory II: Ultra-Wideband Precision Finding