AirDrop Message

AirDrop is an Apple technology that allows users to share files with each other via WiFi and Bluetooth without needing to be connected to a WiFi network.

AirDrop Message Structure (btcommon.apple.type == 0x05)

The AirDrop message has several fields that contain important information:

Field Name	Info	Example	Length	Type	Notes
btcommon.apple.airdrop.prefix	Prefix for AirDrop message	0000000000000000	8	Bytes
btcommon.apple.airdrop.version	AirDrop Version	01	1	Bytes	Version of AirDrop?
btcommon.apple.airdrop.appleid	First 2 bytes SHA256(AppleID)	6e2e	2	Bytes
btcommon.apple.airdrop.phone	First 2 bytes SHA256(Phone Number)	f7ad	2	Bytes
btcommon.apple.airdrop.email	First 2 bytes SHA256(Email)	09b2	2	Bytes
btcommon.apple.airdrop.email2	First 2 bytes SHA256(Email 2)	2080	2	Bytes
btcommon.apple.airdrop.suffix	Suffix of AirDrop message	00	1	Bytes

The message fields, observed values, and their meanings are as follows:

Type: 1 byte, 0x05 – indicates an AirDrop message
Length: 1 byte, 0x12 – number of bytes in the message payload
Zeros: 8 bytes
Version: 1 byte
Truncated SHA256 Hash of AppleID: 2 bytes
Truncated SHA256 Hash of Phone Number: 2 bytes
Truncated SHA256 Hash of Email: 2 bytes
Truncated SHA256 Hash of Email2: 2 bytes
Zero: 1 byte

“Hey Siri” Message

“Hey Siri” messages are emitted by a device when the voice assistant Siri is used. Of note, a perceptual hash of the voice command is included in the packet.

Hey Siri Message Structure (btcommon.apple.type == 0x08)

The “Hey Siri” message has several fields that contain important information:

Field Name	Info	Example	Length	Type	Notes
btcommon.apple.siri.perphash	Perceptual Hash of Command	d6ec	2	Bytes	From Cunche Paper
btcommon.apple.siri.snr	Signal-to-Noise Ratio	43	1	Bytes	Not sure if dBm or dB
btcommon.apple.siri.confidence	Confidence Level	00	1	Bytes	Not sure what scale is used
btcommon.apple.siri.deviceclass	Device Class	HomePod (0x0007)	2	UINT16
btcommon.apple.siri.randbyte	Random Byte	ca	1	Bytes	Not sure the purpose of this

The message fields, observed values, and their meanings are as follows:

Type: 1 byte, 0x08 – indicates a “Hey Siri” message
Length: 1 byte, 0x07 – number of bytes in the message payload
Perceptual Hash: 2 bytes – perceptual hash of the user’s voice command
SNR: 1 byte
Confidence: 1 byte
Device Class: 2 bytes
Random Byte: 1 byte

AirPrint Message

AirPrint is an Apple technology designed to enable printing from iOS and macOS devices without needing to install additional software if the printer supports AirPrint.

AirPrint Message Structure (btcommon.apple.type == 0x03)

The AirPrint message has several fields that contain important information:

Field Name	Info	Example	Length	Type	Notes
btcommon.apple.airprint.addrtype	Address Type	74	1 byte	Bytes	This may mean IPv4 vs IPv6
btcommon.apple.airprint.resourcepathtype	Resource Path Type	07	1 byte	Bytes	Not sure what this is
btcommon.apple.airprint.securitytype	Security Type	6f	1 byte	Bytes	Not sure what this is
btcommon.apple.airprint.qidport	QID or TCP Port	55990	2 bytes	Decimal
btcommon.apple.airprint.ipaddr	IPv4 or IPv6 Address	e52f:eee5:be15:1347:399:3500:1063:6fc5	16 bytes	IPv6
btcommon.apple.airprint.power	Measured Power	6d	1 byte	Bytes	Is this dbm, db? Sometimes it’s optional

The message fields, observed values, and their meanings are as follows:

Type: 1 byte, 0x03 – indicates an AirPrint message
Length: 1 byte, 0x16 – number of bytes in the message payload
Address Type: 1 byte
Resource Path Type: 1 byte
Security Type: 1 byte
QID or TCP Port: 2 bytes
IPv4/6 Address: 16 bytes
Measured Power: 1 byte

Summary

I have updated my code to be compatible with iOS 13 and above, covering all versions. Additionally, I have developed a dissector for Wireshark to categorize and filter the required data, making the project more user-friendly and easier to implement. This work has required dedicated effort and meticulous attention to detail. I am continually improving it to keep up with future updates to Apple’s systems.