This story is about a rabbit hole I fell in and haven't found my way out yet.

It all started with an ad

Last year I saw a tram with an interesting advertising wrap. I wanted to get a picture of it but it was far away and I only had my smartphone camera with me. The result was a blurry mess. To get a decent shot I would have to find it again.

But how do I find that one specific tram out of the millions¹ that drive around Berlin? Our public transport company does have a website with a "live"² map of all their vehicles, but how do I know which one is the tram I want??

I thought about taking my laptop to the next tram stop and just sitting there all day waiting for my tram to come by and then check the id it had on the live map³. But I don't want to sit on an uncomfortable steel banch hunched over a laptop all day. Everybody would think that I'm some kind of weirdo⁴.

Soo. What to do? Maybe I could put a tracker on it when I see it again??

Let's get tracking!

When you think about a trackers there are the GPS trackers we all know from spy movies. The stuff that governments use. That you put under a car with a rellay strong magnet.
Sounds expensive. But there is a cheaper option: AirTags!

Well it's not that great of an option: First of all AirTags aren't that cheap (100 bucks for a 4-pack). And secondly I don't own any apple devices⁵ and I don't want that to change. And finally: I don't like proprietary closed-source bullshit!

Hmm. How do there AirTags even work?

AirTags are pretty simple devices. Just like a small child losing sight of their mommy they just start crying for help when they lose contact to their iPhone. When any other Apple device hears the crying of an AirTag (or an iPhone or iPad or whatever else uses the FindMy network) it will call their fruit-themed overlord and say: "Hey man, I'm at this place right now and there is this weird thing crying for help. Can you deal with that? K. Thanks."

Well in reality it's a bit more complicated. The lost device broadcasts some data, which includes a key and the snitching finding device will use that key to encrypt it's location data before sending it to the big apple. For some reason they thought it wouldn't be great if they had the position of everybody in a database...

There are some AirTag clones available. So how the tag part works is propably publicly available to some degree. But what about getting data about a device from malus pumila?

Finding the needle in the haystack

Somebody must have reversed engineered it. Right? Right! Even before the AirTag was released the folks from the "Secure Mobile Networking Lab" at TU Darmstadt had reverse-engineered the system, found several vulnerabilities and build OpenHaystack.

As part of OpenHaystack they released firmware for the ESP32 and the Microbit_v1 which can turn them into trackers that can be found via the Find My network. Ok. So even before I finished reading the README I ordered some ESP32 devboards⁶ and smallish batteries to power them.

After spending way too much money on Amazon⁷ I kept reading the README only to find out that you still need a Mac to use OpenHaystack.

😭

This can't be true...

Maybe someone else has found a way to do this without a mac?

Where we're going we don't need a mac!

Yes. Yes of course someone has. Without much effort I found the aptly named project macless-haystack.

Ok requirements are:

• Docker installed

That's doable.

• Python3 and pip3 installed

Sure, no problem.

• Apple-ID with 2FA enabled

Oh no. This might need some finagling.

Just let me use your stupid system!

Well. It did take some work.

When you try to create an Apple-ID one of the first things they ask you is your phone number. Well I didn't want to give them my phone number. But without it you won't get an account.

Well okay. Let's give 'em a phone number. It ain't mine but it's a phone number.

What do you mean you texted me a verification code?

😤

Okay so it must be a phone number where I can receive text messages.

There are a lot of websites that claim to give you a temporary phone number for free. I tried most of them. You can guess how many worked⁸.

I did a lot of research to find if any of the commercial providers out there are legit and somewhat trustworthy. Most info I found was extremely outdated. But after days I found a service that looked okay and was pretty cheap. So I tried it.

I ordered a number, gave that number to Apple, and...

Nothing.

It didn't work.

😤

At least I got a refund.

Let's try it again. Maybe it'll work this time⁹.

Money please

IT WORKED!

Next step: Payment Info.

Of course I didn't want to give Apple any parment info.

Well too bad. I tried several times¹⁰ through different methods. They always want your payment info. Ain't no way around it.

Well I found a way around it¹¹.

Second factor

So I've got an Apple-ID. What did the README say again?

• Apple-ID with 2FA enabled. Only sms/text message as second factor is supported!

Oh.

Well okay. The SMS service I used allowed me to receive another 2FA-code on the same number for a short period of time.

So I set up the docker container, prepared everything, created a new Apple-ID and logged in.

ERROR - It seems your account score is not high enough. Log in to https://appleid.apple.com/ and add your credit card (nothing will be charged) or additional data to increase it.

😤

To be honest I had long forgotten why I was doing all this. It was completely irrelevant. I had some ESP32 boards and a dream. A dream of abusing every iPhone that comes into bluetooth range to do my bidding¹².

Raising the score

I did some research. Apparently there are two ways to increase the account score of an Apple-ID. The first we already know: adding a credit card. No thank you!

The other one: Adding a trusted device. That means an iPhone, iPad or a Mac.

Ok sure: Let's get a Mac!

Getting an iMac

As I established before: I don't want any Apple products in my household.

So let's do the next best thing to getting a physical Mac: getting a virtual Mac!

It's been years, nay decades¹³, since I last toyed with the idea of running Mac OS X in a virtual machine. After Apple transitioned to x86 based systems the hackintosh scene flourished. Obviously it was also a lot easier to emulate x86 computers than a PowerPC based apple. But back then there were lots of problems. The biggest one for me was that I was poor and didn't have a powerful computer.

I tried for a while but wasn't able to get anything working and soon abandoned the idea. Not least because I couldn't remember why I even wanted to run Mac OS X.

But the times have changed. I'm older, wiser and one of the richest people in Berlin¹⁴!

Also I own beefy¹⁵ hardware.

While researching I found several projects that make installing Mac OS in a VM "easy". After some testing I finally landed on (a slightly modified version of) OnClick-macOS-Simple-KVM (which is based on macOS-simple-KVM).

They also have decent docs!

It took some time and effort but after a while I had a working Mac OS X VM. After changing the MAC address¹⁶, the SMBIOS and the config.plist I was finally ready to add my Apple-ID.

Haven't I been through enough?

Yes. Yes I have. I don't quite remember if it worked first try or if I had to do something else like creating yet another Apple-ID. But I had an Apple-ID with a trusted device and a trusted phone number. I was finally totally trustworthy!

So back I went to my docker host where I had setup macless-haystack. Fired it up and couldn't get it to work. I had totally forgotten what the README had said.

• Apple-ID with 2FA enabled. Only sms/text message as second factor is supported!

Why? Why can't I use my trusted device as a second factor??

I tried it. It didn't work.

Ok.

Let's start over. New mail account, new phone number, new iMac¹⁷. Let's fucking go!

Is it over?

It worked! Oh my fucking non existant god! It's over. Isn't it?

Well I did flash the ESP32 a couple of times with different number of keys and slightly different configurations. But all in all I was done! I had a tracker that I could track via Apples Find My network.

What now?

To be continued...