seemoo-lab/owl seemoo-lab/owl

  • Stars
    star
    1,192
  • Rank 37,787 (Top 0.8 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created almost 5 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
seemoo-lab/owl
github

seemoo-lab

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An open Apple Wireless Direct Link (AWDL) implementation written in C

Open Wireless Link

Language grade

Open Wireless Link (OWL) is an open implementation of the Apple Wireless Direct Link (AWDL) ad hoc protocol for Linux and macOS written in C and part of the Open Wireless Link project.

OWL runs in user space and makes use of Linux’s Netlink API for Wi-Fi specific operations such as channel switching and to integrate itself in the Linux networking stack by providing a virtual network interface such that existing IPv6-capable programs can use AWDL without modification.

You can use OWL to in combination with OpenDrop to enable Apple AirDrop functionality on Linux-based systems such as a Raspberry Pi 3.

Disclaimer

OWL is experimental software and is the result of reverse engineering efforts by the Open Wireless Link project. Therefore, it does not support all features of AWDL or might be incompatible with future AWDL versions. OWL is not affiliated with or endorsed by Apple Inc. Use this code at your own risk.

Requirements

Wi-Fi card with active monitor mode. To use OWL, you will need a Wi-Fi card supporting active monitor mode with frame injection. We recommend the Atheros AR9280 chip (IEEE 802.11n) which we used to develop and test this code. Configurations that do not support active monitor mode, i.e., ACK received frames, might suffer from throughput degradation because the sender will re-transmit each frame up to 7 times as per the IEEE 802.11 standard. Have a look at issue #9 if you want to find out whether your card meets the requirements.

No support for virtual machines and WSL. OWL requires direct access to the Wi-Fi card which means that virtualized environments (except with USB or PCIe passthrough) and Windows Subsystem for Linux (WSL, see issue #8), are not supported.

OWL requires libpcap for frame injection and reception, libev for event handling, and libnl (Linux only) for interactions with the system's networking stack which have to be installed on the target system.

On Debian Linux,

sudo apt install libpcap-dev libev-dev libnl-3-dev libnl-genl-3-dev libnl-route-3-dev

On Fedora Linux,

sudo dnf install libpcap-devel libev-devel libnl3-devel

On macOS, you need to add support for tun/tap devices, e.g., via tuntaposx. You can install everything via Homebrew:

brew install libpcap libev
brew cask install tuntap

Build from source

The project is build using CMake. To build the project, simply clone this repository in <OWLDIR> and run

cd <OWLDIR>
git submodule update --init
mkdir build
cd build
cmake ..
make
sudo make install

Use

Simply run

sudo owl -i <WLAN_IFACE>

You can specify a wireless channel using the -c parameter. Available channels are 6, 44 and 149. Note that only some of these channels may be available for use in your country based on your regulatory domain. OWL will warn you if it is unable to use the specified channel, in which case you will only be able to monitor the network. On Linux, you can check which channels are available for use in your country using iw list in Frequencies section. A channel is not available if it is listed as disabled or no IR.

You may increase the log level with -v and -vv and daemonize the program with -D. For other options, have a look at daemon/owl.c. Warning: do not use the -N flag in setups without Nexmon such as this as it will likely cause several problems.

When started, OWL creates a virtual network interface awdl0 with a link-local IPv6 address. Discovered AWDL peers are automatically added (and removed) to (and from) the system's neighbor table. Run ip n to see a list of all current neighbors.

Architecture

The following figure shows the core structure of OWL.

Overview

Code Structure

We provide a coarse structure of the most important components and files to facilitate navigating the code base.

  • daemon/ Contains the active components that interact with the system.
    • core.{c,h} Schedules all relevant functions on the event loop.
    • io.{c,h} Platform-specific functions to send and receive frames.
    • netutils.{c,h} Platform-specific functions to interact with the system's networking stack.
    • owl.c Contains main() and sets up the core based on user arguments.
  • googletest/ The runtime for running the tests.
  • radiotap/ Library for parsing radiotap headers.
  • src/ Contains platform-independent AWDL code.
    • channel.{c,h} Utilities for managing the channel sequence.
    • election.{c,h} Code for running the election process.
    • frame.{c,h} The corresponding header file contains the definitions of all TLVs.
    • peers.{c,h} Manages the peer table.
    • rx.{c,h} Functions for handling a received data and action frames including parsing TLVs.
    • schedule.{c,h} Functions to determine when and which frames should be sent.
    • state.{c,h} Consolidates the AWDL state.
    • sync.{c,h} Synchronization: managing (extended) availability windows.
    • tx.{c,h} Crafting valid data and action frames ready for transmission.
    • version.{c,h} Parse and create AWDL version numbers.
    • wire.{c,h} Mini-library for safely reading and writing primitives types from and to a frame buffer.
  • tests/ The actual test cases for this repository.
  • README.md This file.

Current Limitations/TODOs

  • OWL uses static election metric and counter values, so it either takes part as a slave (low values) or wins the election (high values). See AWDL_ELECTION_METRIC_INIT and AWDL_ELECTION_COUNTER_INIT and in include/election.h.
  • The channel sequence does not adjust itself automatically to current network load and/or other triggers. This would require a better understanding of Apple's implementation. Currently, the channel sequence is fixed when initializing. See awdl_chanseq_init_static() in src/state.{c,h}.
  • OWL does not allow a concurrent connection to an AP. This means, that when started, the Wi-Fi interface exclusively uses AWDL. To work around this, OWL could create a new monitor interface (instead of making the Wi-Fi interface one) and adjust its channel sequence to include the channel of the AP network.

Our Papers

  • Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. 28th USENIX Security Symposium (USENIX Security ’19), August 14–16, 2019, Santa Clara, CA, USA. Link

  • Milan Stute, David Kreitschmann, and Matthias Hollick. One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol. The 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18), October 29–November 2, 2018, New Delhi, India. ACM. doi:10.1145/3241539.3241566

  • Milan Stute, David Kreitschmann, and Matthias Hollick. Demo: Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link. The 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18), October 29–November 2, 2018, New Delhi, India. ACM. doi:10.1145/3241539.3267716

Contact

More Repositories

1

opendrop

An open Apple AirDrop implementation written in Python
Python
8,426
star
2

openhaystack

Build your own 'AirTags' 🏷 today! Framework for tracking personal Bluetooth devices via Apple's massive Find My network.
Swift
7,719
star
3

nexmon

The C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
C
2,319
star
4

AirGuard

Protect yourself from being tracked 🌍 by AirTags 🏷 and Find My accessories 📍
Kotlin
1,809
star
5

openwifipass

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Python.
Python
789
star
6

mobisys2018_nexmon_software_defined_radio

Proof of concept project for operating Broadcom Wi-Fi chips as arbitrary signal transmitters similar to software-defined radios (SDRs)
Shell
749
star
7

internalblue

Bluetooth experimentation framework for Broadcom and Cypress chips.
Python
655
star
8

frankenstein

Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging
C
414
star
9

nexmon_csi

Channel State Information Extraction on Various Broadcom Wi-Fi Chips
C
286
star
10

toothpicker

Python
229
star
11

polypyus

Python
212
star
12

privatedrop

Practical Privacy-Preserving Authentication for Apple AirDrop
Swift
210
star
13

bcm-rpi3

DEPRECATED: Monitor Mode and Firmware patching framework for the Raspberry Pi 3, development moved to: https://github.com/seemoo-lab/nexmon
C
158
star
14

BTLEmap

Nmap for Bluetooth Low Energy
Swift
144
star
15

airtag

AirTag instrumentation including AirTechno and firmware downgrades.
JavaScript
130
star
16

wireshark-awdl

Wireshark Dissector for Apple Wireless Direct Link (AWDL) and Apple's CoreCapture logging framework. Note: the AWDL dissector is part of Wireshark 3.0!
129
star
17

mobisys2018_nexmon_channel_state_information_extractor

Example project for extracting channel state information of up to 80 MHz wide 802.11ac Wi-Fi transmissions using the BCM4339 Wi-Fi chip of Nexus 5 smartphones.
MATLAB
96
star
18

airdrop-keychain-extractor

Extracting Apple ID Validation Record, Certificate, and Key for AirDrop
Objective-C
94
star
19

frida-scripts

JavaScript
89
star
20

bcm-public

DEPRECATED: Monitor Mode and Firmware patching framework for the Google Nexus 5, development moved to: https://github.com/seemoo-lab/nexmon
C
75
star
21

fitness-app

Java
68
star
22

apple-continuity-tools

Reverse engineering toolkit for Apple's wireless ecosystem
JavaScript
59
star
23

nexmon_debugger

Debugger with hardware breakpoints and memory watchpoints for BCM4339 Wi-Fi chips
C
54
star
24

talon-tools

Talon Tools: The Framework for Practical IEEE 802.11ad Research
TeX
41
star
25

aristoteles

A Wireshark dissector for the Apple Remote Invocation (ARI) protocol, used between Intel base band chips and the iOS CommCenter for various management purposes, SMS, telephony and much more.
Lua
41
star
26

wisec2017_nexmon_jammer

This project contains the nexmon-based source code required to repeat the experiments of our WiSec 2017 paper.
C
41
star
27

mmTrace

mmTrace: Millimeter Wave Propagation Simulation
MATLAB
39
star
28

fitness-firmware

HTML
39
star
29

apple_u1

JavaScript
38
star
30

dtrace-memaccess_cve-2020-27949

C++
33
star
31

proxawdl

Tunnels a regular TCP connection through an AWDL link by exploiting the NetService API
Objective-C
33
star
32

chirpotle

A LoRaWAN Security Evaluation Framework
Jupyter Notebook
31
star
33

lede-ad7200

LEDE environment ported to support TP-Link TALON AD7200 devices.
C
28
star
34

AirGuard-iOS

Protect yourself from being tracked 📍by Samsung SmartTags and Tile Trackers
Swift
26
star
35

pyshimmer

pyshimmer provides a Python API to work with the wearable sensor devices produced by Shimmer.
Python
24
star
36

mobisys2018_nexmon_covert_channel

Wi-Fi based covert channel that hides information in hand crafted acknowledgement frames imitating additional channel effects that can be extracted from channel state information at the intended receiver.
C
23
star
37

h4bcm_wireshark_dissector

Wireshark dissector for Broadcom specific H4 diagnostic commands
C
21
star
38

owlink.org

Opening up Apple's wireless ecosystem around the Apple Wireless Direct Link (AWDL) protocol
HTML
19
star
39

uwb-sniffer

A UWB Sniffer with accurate timestamps
C
19
star
40

wisec2017_nexmon_jammer_demo_app

This project contains source code of our Nexmon-based jammer app presented as a demo at WiSec 2017.
Java
18
star
41

plist17lib

Python
17
star
42

seemoo-mobile-sensing

Sensor data collector for Android devices
Java
17
star
43

BTLEmap-Framework

BTLEmap's Bluetooth Low Energy framework that powers the app
Swift
16
star
44

seemoo-wearable-sensing

Sensor data collector for Samsung Gear S3
JavaScript
16
star
45

nexmon-arc

The nexmon C-based firmware patching framework adapted for the ARC architecture.
C
16
star
46

csicloak

Python
14
star
47

talon-sector-patterns

Antenna Sector Patterns as obtained by Measurements in the CoNEXT'17 paper
MATLAB
13
star
48

privatefind

Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
C
12
star
49

nexmon_tx_task

Scheduled frame transmission on Broadcom Wi-Fi Chips
C
11
star
50

wisec2017_nexmon_jammer_demo_firmware

This project contains the nexmon-based source code of the jammer used in our WiSec 2017 demo Android app.
C
11
star
51

fido2ext

Bring Your Own FIDO2 Extensions!
JavaScript
11
star
52

wifi-password-sharing

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Swift.
Swift
10
star
53

bcm_misc

10
star
54

Hardwhere

snipeit-it based asset management app
Kotlin
9
star
55

opennan

OpenNAN - An open source NAN stack for Linux
C
9
star
56

ubicomp19_zero_interaction_security

Source code for experiments and evaluation of five zero-interaction security schemes, for our Ubicomp 2019 paper "Perils of Zero-Interaction Security in the Internet of Things"
Jupyter Notebook
9
star
57

myo-keylogging

Code for "My(o) Armband Leaks Passwords: An EMG and IMU Based Keylogging Side-Channel Attack" paper
Python
8
star
58

natural-disaster-mobility

Natural Disaster Mobility Model and Scenarios in the ONE
Java
7
star
59

wisec2017_nexmon_jammer_reproducibility

This project contains all measured data and scripts to recreate the plots used in our WiSec 2017 paper.
MATLAB
7
star
60

nexmon_energy_measurement

This repository contains patched Linux kernel sources to run energy measurements on the Wi-Fi chip of a Nexus 5 smartphone.
C
7
star
61

next2you

Source code for experiments and evaluation of Next2You copresence detection scheme, for our TIOT 2021 paper "Next2You: Robust Copresence Detection Based on Channel State Information".
C
7
star
62

aic-prototype

Proof of concept implementation of Acoustic Integrity Codes (AICs) for Android smartphones
Kotlin
7
star
63

offline-finding-evaluation

Quantitative analysis of location reports from Apple's offline finding (OF) location tracking system
Jupyter Notebook
6
star
64

pico-nexmon

Applications for the Raspberry Pi Pico W related to Nexmon the C-based firmware patching framework for Broadcom/Cypress WiFi chips.
CMake
5
star
65

fastzip

Source code for experiments and evaluation of FastZIP zero-interaction pairing scheme, for our Mobisys 2021 paper "FastZIP: Faster and More Secure Zero-Interaction Pairing".
Python
5
star
66

handoff-ble-viewer

Decrypt and show the content of BLE advertising packets sent by your iPhone when using Handoff
Swift
5
star
67

powerpc-ose

C++
4
star
68

d11-emu

D11emu: A BCM43 D11 Emulation Framework
Rust
4
star
69

PrivateDrop-Base

The framework that powers PrivateDrop
C
3
star
70

graphics

3
star
71

click-castor

Click implementation of LIDOR/SEMUD (based on the Castor routing protocol)
C++
3
star
72

tpy

A Lightweight Framework for Agile Distributed Network Experiments
Python
3
star
73

privatedrop-evaluation

Jupyter Notebook
3
star
74

wintech23_nexmon_d11debug

Pawn
3
star
75

wintech2017_nexmon_ping_offloading

This project contains the nexmon-based source code of the ping offloading application used in our WiNTECH 2017 paper.
C
2
star
76

wisec23-speaker-bootstrapping

Software repository for our WiSec '23 demo: Secure Bootstrapping of Smart Speakers Using Acoustic Communication
C
2
star
77

hardzipa

Source code for experiments and evaluation of HardZiPA system for our EWSN 2023 paper "Hardening and Speeding UpZero-interaction Pairing and Authentication".
Python
2
star
78

talon-library-measurements

Large-Scale Talon Measurements at Library
1
star
79

kardia-demod

Python
1
star
80

handoff-authentication-swift

C++
1
star
81

caret

CARET: The Crisis and Resilience Evaluation Tool
Python
1
star
82

Please-Unstalk-Me

User Data and Online Survey results
Jupyter Notebook
1
star
83

python-msp430-tools

This is a fork of the original python-msp430-tools repository on Launchpad. It features a patchset that is required to use the tools with the Shimmer3 devices.
Python
1
star