Read on Twitter
Continuing the tweet-chain of @colinoflynn on AirTag hacking, we will look at the flash contents now! https://twitter.com/colinoflynn/status/1390486554586587139
Similar to most Apple embedded devices, the AirTags also seem to run RTKit... And this is where it gets interesting: It's a DEBUG build - debug builds have more functionality, and sometimes more logs & co - this is good news!
/cc @naehrdine
/cc @naehrdine
Also looks like the firmware for the U1 DSP is on the flash, as you can find a ton of AArch64 instructions
Next step: Dump the rkos images contained in the firmware...
Looks like both rkos are identical - maybe a recovery/fallback version?
Ohhh, what do we have here? This looks a lot like it might be an nRF52 firmware, which is the microcontroller used on the AirTag!
Hmm too bad, looks like it's just a reset vector, not actual firmware :)
Also here's the entropy graph of the whole thing, looks like nothing is encrypted :)
I still remember when I first saw this Apple note - in the firmware images of my 3rd generation iPod when I just got started with hardware/firmware reversing 
Well hello there, nRF52 firmware
(If someone close to Stuttgart has too many AirTags and can spare one.. hit me up 
)
)
Found a SHA256 implementation in the firmware, slowly trying to get an overview
For those playing along at home: Loaded the firmware starting at 0x28D000 into Ghidra, loading offset seems to be 0x1c000 - guessing that there's a bootloader in front of that?!
Then used SVD-Loader to load an nrf52 SVD I found - it's not super detailed but gets the job done
Then used SVD-Loader to load an nrf52 SVD I found - it's not super detailed but gets the job done
Looks like this is the function that generates the "I found a tag" URL:
Sweet, picking some tags up in an hour, that should be fun
