openhaystack icon indicating copy to clipboard operation
openhaystack copied to clipboard

Published 20 hours ago verified publisher icon seemoo-lab

Support for Android / Google's Find my Device?

Open JsBergbau opened this issue 1 year ago • 13 comments

Google recently launched its find my device network. https://blog.google/products/android/android-find-my-device/

Contrary to Apple, the specification is publicly available https://developers.google.com/nearby/fast-pair/specifications/extensions/fmdn

Is there planned to support Googles Network as well?

JsBergbau avatar Jun 02 '24 07:06 JsBergbau

The new API seems to be called "spot":

izm.h("canary-spot-pa.sandbox.googleapis.com");
izm.h("dev-spot-pa.sandbox.googleapis.com");
izm.h("spot-pa.googleapis.com");
izm.h("spot-pa.googleapis.com");

This (protobuf?) API requires the following scopes:

https://www.googleapis.com/auth/spot
https://www.googleapis.com/auth/android_device_manager

It looks like it contains the following RPC services:

    izt.d("CreateUser", kcl17);
    izt.d("GetUser", kcl12);
    izt.d("UpdateUser", kcl10);
    izt.d("DeleteUser", kcl6);
    izt.d("CreateBleDevice", kcl5);
    izt.d("UpdateBleDevice", kcl2);
    izt.d("UpdateBleDeviceSharingSettings", kcl4);
    izt.d("ListBleDevices", kcl7);
    izt.d("ListEidsForBleDevices", kcl14);
    izt.d("GetEidInfoForE2eeDevices", kcl3);
    izt.d("UploadPrecomputedPublicKeyIds", kcl8);
    izt.d("RotateBleDeviceKeys", kcl13);
    izt.d("GetBleDevice", kcl9);
    izt.d("GetScannedDeviceInfo", kcl16);
    izt.d("DeleteBleDevice", kcl15);
    izt.d("GetServicePublicKey", kcl11);
    izt.d("UploadClientActionResult", kcl1);

denysvitali avatar Jun 12 '24 00:06 denysvitali

The FMD app also makes some POST requests to

https://android.googleapis.com/nova/nbe_execute_action

and

https://android.googleapis.com/nova/nbe_list_devices

With the proper Authorization Bearer token, I get a list of my device names and images (including "spot" devices) along with a bunch of other binary data in the application/octet-stream response.

adriancampos avatar Jun 13 '24 02:06 adriancampos

Might be worth looking into this discussion as well to see if that helps: https://github.com/biemster/FindMy/issues/51

Cassander313 avatar Jun 19 '24 19:06 Cassander313

The FMD app also makes some POST requests to

https://android.googleapis.com/nova/nbe_execute_action

and

https://android.googleapis.com/nova/nbe_list_devices

With the proper Authorization Bearer token, I get a list of my device names and images (including "spot" devices) along with a bunch of other binary data in the application/octet-stream response.

Did you figure out if acquiring the Bearer token could be automated?

leonboe1 avatar Aug 27 '24 16:08 leonboe1

@denysvitali or @adriancampos did you find out more on the API side? I implemented the FMD advertisement, where the Eid (ephemeral id) seems the key to all this. Next step would be to retrieve reports with an Eid, which might require registering it first on your google account.

biemster avatar Sep 25 '24 14:09 biemster

I started building out an sdk for the findmy api.

https://github.com/dylanmazurek/google-findmy

dylanmazurek avatar Nov 04 '24 01:11 dylanmazurek

It looks like someone is doing that in Python too: https://github.com/leonboe1/GoogleFindMyTools/

denysvitali avatar Dec 29 '24 03:12 denysvitali

Might be useful, reverse engineering chipolo https://media.ccc.de/v/38c3-from-fault-injection-to-rce-analyzing-a-bluetooth-tracker

mrx23dot avatar Jan 04 '25 22:01 mrx23dot

The problem seems to be solved! At least the advertisement packet and a working location cycle. Nordic even released a fully functioning example: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/nrf52/index.html#ug-nrf52

Has anyone tried this?

dkgs2000 avatar Mar 28 '25 08:03 dkgs2000

Possibly most of you have found my repository, it was already posted above. But just to let you know, it allows you to use ESP32 trackers with the Google Find My Device network, just like OpenHaystack.

https://github.com/leonboe1/GoogleFindMyTools/

leonboe1 avatar Mar 28 '25 08:03 leonboe1

Possibly most of you have found my repository, it was already posted above. But just to let you know, it allows you to use ESP32 trackers with the Google Find My Device network, just like OpenHaystack.

https://github.com/leonboe1/GoogleFindMyTools/

Well yes, but the one i posted is for nRF boards and also supports fast pair. There is no links between the two.

dkgs2000 avatar Mar 29 '25 13:03 dkgs2000

Possibly most of you have found my repository, it was already posted above. But just to let you know, it allows you to use ESP32 trackers with the Google Find My Device network, just like OpenHaystack. https://github.com/leonboe1/GoogleFindMyTools/

Well yes, but the one i posted is for nRF boards and also supports fast pair. There is no links between the two.

as I read, you still need to sign with Google to do the full chain of registration, seems like a waste of effort if you can get it working without it.

mrx23dot avatar Mar 29 '25 13:03 mrx23dot

Yes if you want to not use any additional software and only your phone, then a Fast Pair-compatible tracker makes more sense. However, I'm not sure if the firmware listed above will work, since Fast Pair normally needs a pre-shared key which is privately stored on the Fast Pair device, and I doubt that this key is included in the firmware. But maybe it is 🤷🏻

leonboe1 avatar Mar 29 '25 13:03 leonboe1