Read AirTag data from the FindMy.app cache and convert to GPX

I am trying this script on an M1 Mac. However, this file does not seem to exist despite the FindMy app is running:

~ cat $HOME/Library/Caches/com.apple.findmy.fmipcore/Items.data
cat: /Users/tmozes/Library/Caches/com.apple.findmy.fmipcore/Items.data: Operation not permitted

Any idea how to access the data on M1s?

Author

What is the file permissions on Items.data?

Hi Henrik, please see below:

~ ls -alt /Users/tmozes/Library/Caches/com.apple.findmy.fmipcore/Items.data
-rw-r--r--@ 1 tmozes  staff  6900 Jun 23 00:16 /Users/tmozes/Library/Caches/com.apple.findmy.fmipcore/Items.data

@tmozes make sure your terminal has full disk access - This article can help

Just in case it is helpful, I wrote a script that logs more information (history location, battery level, etc.) and supports more devices (AirTag, iPhone, MacBook, etc.).

https://github.com/fjxmlzn/FindMyHistory

Suggestions are welcome!

Author

@fjxmlzn Cool!

Hello @henrik242 , I was looking at your great code but I still have a question.. Could be possible to get from findmy cache not only lat, long and the actual timestamp also the timestamp of the last update of the airtag?
It could happen that I read the cache right now but the last update of the Airtag was many days ago.. Thank you very much :-)

Author

@sarto89 Just look at your $HOME/Library/Caches/com.apple.findmy.fmipcore/Items.data file and you might find what you're looking for.

Looks like with the MacOS Sonoma 14.4 update the $HOME/Library/Caches/com.apple.findmy.fmipcore/ files became encrypted. Any idea how to decrypt these to get the file in plain text again like it was is 14.3.1 and before? I was expecting apple to chop our legs off, it has happened.

Author

Are you sure they are encrypted? What does the command file $HOME/Library/Caches/com.apple.findmy.fmipcore/* say?

Author

Bummer. I'm still on Ventura, so I'm not affected (yet).

Bummer. I'm still on Ventura, so I'm not affected (yet).

I am on Sonoma 14.3.1 but I built an airtag harvesting app that I was planning to go to production with for users to track the history on a map of their FindMy tags. Putting that on hold until I find out if I can decryot these files. This was expected as Apple frowns on tracking the history..

Author

Maybe try putting that string in a file by itself and try to figure out what kind of encryption it is. Is it base64 encoded?

Also hitting this on 14.4.1

% plutil -p /Users/xxx/Library/Caches/com.apple.findmy.fmipcore/Items.data
{
  "encryptedData" => {length = 40501, bytes = 0x82f73cb2 91a2aa9f 867bd9c0 30c79f5e ... d491f5f6 52b03543 }
  "signature" => {length = 64, bytes = 0xcffcffcc d3befa46 13c3dd0b 0166762d ... eed8541f b9afbce1 }
}

yes, the encryption started in 14.4 so we would expect subsequent releases 14.4.x+ to now have it permanently. Stay with macOS 10.5 to 14.3.1 and your safe. It would be nice if we could decrypt the files but we need the key to decrypt them and I can't see any way to get that as Apple does not want you to look at your own files.

The key has to be somewhere (keychain?), it should be possible to reverse engineer and re-implement the decryption