Nearby Action messages are sent in order to inform nearby devices of a change in device state, including joining a WiFi network or initial setup of an iOS device. This message and its format were first described in Handoff All Your Privacy — A Review of Apple's Bluetooth Low Energy Continuity Protocol by Martin et al. as a "WiFi-Join" message. Guillaume Celosia and Mathieu Cunche enumerated the remaining `Action Types` in Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols.
The structure of the Nearby Action message's Action Parameters field is
dependent upon the Action Type value. One of the more common Action Type
values the FuriousMAC team observed was WiFi Password (0x08), which prompts
nearby iOS devices to securely share a WiFi network's password if they are
already connected to the same network. This message type was originally
described in the Handoff All Your Privacy work as the "WiFi-Join"
message. The frame format of this particular message is given below; other
Action Type values will substitute Action Type-specific fields following
the Authentication Tag field.
| Field Name | Info | Example | Length | Type | Notes |
|---|---|---|---|---|---|
| btcommon.apple.nearbyaction.flags | Nearby Action Flags | 40 | 1 | Bytes | Auth Tag bit. Not sure about others |
| btcommon.apple.nearybaction.flags.authtag | Auth Tag Flag | Absent | 1 | Bool | |
| btcommon.apple.nearbyaction.type | Nearby Action Type | Wi-Fi Password (0x08) | 1 | UINT8 | Not all types dissect properly |
| btcommon.apple.nearbyaction.auth | Auth Tag | 390087 | 3 | Bytes | 390087 |
| btcommon.apple.nearbyaction.wifijoin.ssid | First 3 bytes SHA256(SSID) | f9575b | 3 | Bytes | |
| btcommon.apple.nearbyaction.wifijoin.appleid | First 3 bytes SHA256(Apple ID) | 3455e6 | 3 | Bytes | |
| btcommon.apple.nearbyaction.wifijoin.phonenumber | First 3 bytes SHA256(Phone Number) | 395504 | 3 | Bytes | |
| btcommon.apple.nearbyaction.wifijoin.email | First 3 bytes SHA256(Email) | 09fc87 | 3 | Bytes | |
| btcommon.apple.nearbyaction.setup.device_class | Device Class | iPhone (0x2) | 1 | UINT8 | |
| btcommon.apple.nearbyaction.setup.device_model | Device Model | D22 (X, Xs, XSMax) (0x1) | 1 | UINT8 | |
| btcommon.apple.nearbyaction.setup.device_color | Device Color | Black (0x1) | 1 | UINT8 | |
| btcommon.apple.nearbyaction.setup.msg_ver | Message Version | 10 | 1 | UINT8 | Might be protocol version? Not sure |
| btcommon.apple.nearbyaction_data | Unknown Data | 8bdab64875208f0c7280ae0599350000632fc5 | Varies | Bytes | Used for unknown sub types |
The message fields, observed values and their meaning:
- Type: 1 byte, 0x0F -- indicates a Nearby Action message
- Length: 1 byte, variable -- number of bytes in message payload
- Action Flags: 1 byte
-
Action Type: 1 byte
- 0x01 -- Apple TV Setup
- 0x04 -- Mobile Backup
- 0x05 -- Watch Setup
- 0x06 -- Apple TV Pair
- 0x07 -- Internet Relay
- 0x08 -- WiFi Password
- 0x09 -- iOS Setup
- 0x0A -- Repair
- 0x0B -- Speaker Setupd
- 0x0C -- Apple Pay
- 0x0D -- Whole Home Audio Setup
- 0x0E -- Developer Tools Pairing Request
- 0x0F -- Answered Call
- 0x10 -- Ended Call
- 0x11 -- DD Ping
- 0x12 -- DD Pong
- 0x13 -- Remote Auto Fill
- 0x14 -- Companion Link Proximity
- 0x15 -- Remote Management
- 0x16 -- Remote Auto Fill Pong
- 0x17 -- Remote Display
- Authentication Tag: 3 bytes
- Action Parameters: Variable