seemoo-lab
Understanding the 'status' byte of Airtags
I've read your research paper (via this blogpost), which mentions that Airtags emit a status byte, which "might indicate battery life".
I was wondering if you could tell me more about this byte. Does it indeed represent battery life? If so, wouldn't that make it possible to circumvent the peridic mac address randomisation? E.g.
- Mac with battery life 56 disappears
- A new mac with battery life 56 appears.
- Conclusion: likely to be the same device?
If it's battery life indicator, is it a 0-255 representation of a 100% range?
Or does this status byte also convey other status information?
The battery state in the status byte is represented by 2 Bits: with 00 for a full battery and 11 for critically low. These 4 different states might not be enough to assume that a device with a new mac address but the same battery state is the same device.
We explain the status byte in more detail in our new pre-print paper about AirGuard :wink: https://arxiv.org/abs/2202.11813
I'm adraid that document doens't bring me any further. For my understanding: could you explain what each of the bit switches in the status byte do and where they are placed in order?
- two of the 8 must be battery level
- two of the 8 must be the connection state
But.. which ones? And what do the other 4 bits do?
I'd be very grateful if you could share some insight. I've tried looking through the AirGuard code to see if I could learn more.
I'm hoping that it's possible to immediately read if an Airtag is in the "lost" mode. My code currently waits 30 minutes to see if the mac address stays the same, and takes that as a sign that the Airtag is lost.
I suspect there is a better way.