Skip to content

barrenechea/airtag-superbinary-extractor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.zig
build.zig
 
 
build.zig.zon
build.zig.zon
 
 

Repository files navigation

SuperBinary Extractor for AirTag Firmware

A Zig implementation that extracts and validates firmware components from Apple's SuperBinary (.bin) files. This format bundles firmware for the AirTag's nRF (Bluetooth) and U1 (Ultra-Wideband) chips.

Overview

The SuperBinary contains firmware for two main components:

  1. The Nordic nRF chip (Bluetooth): consists of the SoftDevice, Bootloader, and the Bluetooth App.
  2. The Apple U1 chip (Ultra-Wideband): referred to as "R1" or "Rose", contained within the ftab asset.

The SuperBinary header contains entries with the following structure:

  • 4-byte ASCII tag (e.g., blap, sftd)
  • 2-byte version (little-endian)
  • 2-byte flags (little-endian)
  • 4-byte constant (0x00490002)
  • 4-byte offset to data (little-endian)
  • 4-byte length of data (little-endian)

This tool identifies these entries, extracts their corresponding binary blobs, and validates them based on their expected content (e.g., ARM firmware, signatures, or the U1 firmware container).

Features

  • Extracts various firmware components from SuperBinary files
  • Supports the following tags:
    • blap: Bluetooth Application (for nRF)
    • sftd: Soft Device (for nRF)
    • bldr: Boot Loader (for nRF)
    • basg: Bluetooth App Signature
    • sdsg: Soft Device Signature
    • blsg: Boot Loader Signature
    • ftab: Firmware Table for R1 (U1/Rose) chip
  • Validates extracted components based on their expected format
  • Generates a manifest file with extraction details
  • Falls back to dumping the first 512 bytes of the header if no entries are found

Requirements

Building

zig build

Running

zig build run -- <path-to-superbinary> [-o outdir] [--tags comma,separated]

Examples

Extract all default components:

zig build run -- firmware.bin

Extract to a specific output directory:

zig build run -- firmware.bin -o extracted/

Extract specific tags only:

zig build run -- firmware.bin --tags blap,sftd,bldr

Testing

Unit tests for the validation helpers can be executed with:

zig build test

Output

The tool creates the following files in the output directory:

  • Individual extracted firmware components with names like [tag]_[offset].bin
  • manifest.json – detailed information about all extracted entries
  • header_dump.bin – created when no entries are found (first 512 bytes of the header)

Validation

The tool performs the following validations:

  • ARM firmware validation by checking ARM vector table patterns
  • Signature validation using ASN.1 DER format cues
  • U1 firmware container validation by checking for specific identifiers

Resources

About

Extracts and validates firmware components from Apple AirTag SuperBinary (.bin) files

Topics

firmware reverse-engineering bluetooth nrf ultra-wideband u1 airtag superbinary

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages