Read AirTag data from the FindMy.app cache and convert to GPX

airtag-to-gpx-sync.sh

#!/usr/bin/env bash

# 
# Reads AirTag data from the FindMy.app cache and converts it to a daily GPX file
#
# Rsyncs the data to a web accessible folder that can be displayed with e.g. 
# https://gist.github.com/henrik242/84ad80dd2170385fe819df1d40224cc4
#
# This should typically be run as a cron job
#

set -o pipefail -o nounset -o errexit

export PATH=/usr/local/bin:$PATH
DATADIR=/tmp/airtag-data
TODAY=$(date +%d)

mkdir -p $DATADIR
DATA=$DATADIR/airtagdata-$TODAY.txt
GPX=$DATADIR/airtagdata-$TODAY.gpx
TAGNAME=Foobar

if [[ $(uname -s) == "Darwin" ]]; then
  TOMORROW=$(date -v +1d +%d)
else
  TOMORROW=$(date --date="tomorrow" +%d)
fi
rm -f $DATADIR/airtagdata-$TOMORROW.gpx

jq -r '.[] | select(.name == "'$TAGNAME'") | .location | "\(.latitude) \(.longitude) \(.altitude) \(.timeStamp/1000 | todate)"' \
   $HOME/Library/Caches/com.apple.findmy.fmipcore/Items.data >> $DATA

START='<?xml version="1.0" encoding="UTF-8"?>
<gpx xmlns="http://www.topografix.com/GPX/1/1" xmlns:mytracks="http://mytracks.stichling.info/myTracksGPX/1/0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" creator="myTracks" version="1.1" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
   <trk>
      <name>'$TAGNAME'</name>
      <extensions>
         <mytracks:color red="0.000000" green="0.000000" blue="1.000000" alpha="1.000000" />
         <mytracks:area showArea="no" areaDistance="0.000000" />
         <mytracks:directionArrows showDirectionArrows="yes" />
         <mytracks:sync syncPhotosOniPhone="no" />
         <mytracks:timezone offset="120" />
      </extensions>
      <trkseg>'

END='      </trkseg>
   </trk>
</gpx>'


echo $START > $GPX 

function elems() {
    LAT=$1
    LON=$2
    ELE=$3
    TS=$4
}

cat $DATA | while read line; do
  elems $line
  echo '<trkpt lat="'$LAT'" lon="'$LON'">
            <ele>'$ELE'</ele>
            <time>'$TS'</time>
         </trkpt>' >> $GPX
done

echo $END >> $GPX
cp $GPX $DATADIR/airtagdata.gpx

rsync -a --exclude='*.txt' $DATADIR example.com:public_html/airtag/

I am trying this script on an M1 Mac. However, this file does not seem to exist despite the FindMy app is running:

~ cat $HOME/Library/Caches/com.apple.findmy.fmipcore/Items.data
cat: /Users/tmozes/Library/Caches/com.apple.findmy.fmipcore/Items.data: Operation not permitted

Any idea how to access the data on M1s?

What is the file permissions on Items.data?

Hi Henrik, please see below:

~ ls -alt /Users/tmozes/Library/Caches/com.apple.findmy.fmipcore/Items.data
-rw-r--r--@ 1 tmozes  staff  6900 Jun 23 00:16 /Users/tmozes/Library/Caches/com.apple.findmy.fmipcore/Items.data

@tmozes make sure your terminal has full disk access - This article can help

Just in case it is helpful, I wrote a script that logs more information (history location, battery level, etc.) and supports more devices (AirTag, iPhone, MacBook, etc.).

https://github.com/fjxmlzn/FindMyHistory

Suggestions are welcome!

@fjxmlzn Cool!

Hello @henrik242 , I was looking at your great code but I still have a question.. Could be possible to get from findmy cache not only lat, long and the actual timestamp also the timestamp of the last update of the airtag?
It could happen that I read the cache right now but the last update of the Airtag was many days ago.. Thank you very much :-)

@sarto89 Just look at your $HOME/Library/Caches/com.apple.findmy.fmipcore/Items.data file and you might find what you're looking for.

Looks like with the MacOS Sonoma 14.4 update the $HOME/Library/Caches/com.apple.findmy.fmipcore/ files became encrypted. Any idea how to decrypt these to get the file in plain text again like it was is 14.3.1 and before? I was expecting apple to chop our legs off, it has happened.

Are you sure they are encrypted? What does the command file $HOME/Library/Caches/com.apple.findmy.fmipcore/* say?

I am sure but you are safe if you stop updating at 14.3.1 The directory is not encrypted but the Items.data, Devices.data and so forth are. Need a key to decrypt them.

…

On Fri, Mar 8, 2024 at 9:17 AM henrik242 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Are you sure they are encrypted? What does the command file $HOME/Library/Caches/com.apple.findmy.fmipcore/* say? — Reply to this email directly, view it on GitHub <https://gist.github.com/henrik242/1da3a252ca66fb7d17bca5509a67937f#gistcomment-4977418> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASCZRA5JPPSBRMYMSZKH4RTYXHB6PBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTCNJUGQYTKMBQU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

plutil -convert xml1 Items.data <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>encryptedData</key> <data> kFZv8TThNHlX/BRTODmYYm+PMOlMUISTiImesRkDiaHHnaOFwPCRTmrIFSHKq3d1scgo

…

On Fri, Mar 8, 2024 at 9:35 AM Mr Robby ***@***.***> wrote: I am sure but you are safe if you stop updating at 14.3.1 The directory is not encrypted but the Items.data, Devices.data and so forth are. Need a key to decrypt them. On Fri, Mar 8, 2024 at 9:17 AM henrik242 ***@***.***> wrote: > ***@***.**** commented on this gist. > ------------------------------ > > Are you sure they are encrypted? What does the command file > $HOME/Library/Caches/com.apple.findmy.fmipcore/* say? > > — > Reply to this email directly, view it on GitHub > <https://gist.github.com/henrik242/1da3a252ca66fb7d17bca5509a67937f#gistcomment-4977418> > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ASCZRA5JPPSBRMYMSZKH4RTYXHB6PBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTCNJUGQYTKMBQU52HE2LHM5SXFJTDOJSWC5DF> > . > You are receiving this email because you commented on the thread. > > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> > . > >

Bummer. I'm still on Ventura, so I'm not affected (yet).

Bummer. I'm still on Ventura, so I'm not affected (yet).

I am on Sonoma 14.3.1 but I built an airtag harvesting app that I was planning to go to production with for users to track the history on a map of their FindMy tags. Putting that on hold until I find out if I can decryot these files. This was expected as Apple frowns on tracking the history..

Maybe try putting that string in a file by itself and try to figure out what kind of encryption it is. Is it base64 encoded?

it's typical plist encryption, i need to have the FindMy app to figure out how it reads the file. Need a test box running 14.4 as I backed mine out to 14.3.1 now so my app would work.

…

On Fri, Mar 8, 2024 at 10:09 AM henrik242 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Maybe try putting that string in a file by itself and try to figure out what kind of encryption it is. Is it base64 encoded? — Reply to this email directly, view it on GitHub <https://gist.github.com/henrik242/1da3a252ca66fb7d17bca5509a67937f#gistcomment-4977575> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASCZRA6PG5FP77Q5H2FUGGTYXHIDHBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTCNJUGQYTKMBQU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Also hitting this on 14.4.1

% plutil -p /Users/xxx/Library/Caches/com.apple.findmy.fmipcore/Items.data
{
  "encryptedData" => {length = 40501, bytes = 0x82f73cb2 91a2aa9f 867bd9c0 30c79f5e ... d491f5f6 52b03543 }
  "signature" => {length = 64, bytes = 0xcffcffcc d3befa46 13c3dd0b 0166762d ... eed8541f b9afbce1 }
}

yes, the encryption started in 14.4 so we would expect subsequent releases 14.4.x+ to now have it permanently. Stay with macOS 10.5 to 14.3.1 and your safe. It would be nice if we could decrypt the files but we need the key to decrypt them and I can't see any way to get that as Apple does not want you to look at your own files.

The key has to be somewhere (keychain?), it should be possible to reverse engineer and re-implement the decryption