MyKE / FindMyFlipper – Track your Flipper Zero via Apple FindMy network

Created Tue, 17 Mar 2026 22:00:00 +0000
945 Words
flipper zero findmy apple ble openhaystack

FindMyFlipper – Track your Flipper Zero via Apple FindMy network

If you own a Flipper Zero and want to track its location using Apple’s FindMy network, FindMyFlipper is a great way to do it. It turns your Flipper into an AirTag-like device, broadcasting BLE (Bluetooth Low Energy) beacons that are picked up by any nearby iPhone and relayed to Apple’s servers – all without Apple knowing it’s not a real AirTag.

In this post I’ll walk through how it works, how to set it up using Option B (AirTag key generation via anisette-v3-server), how to query location reports and display them on a map, and a few gotchas I ran into.

How it works

FindMyFlipper leverages the OpenHaystack protocol. The basic flow is:

  1. The Flipper Zero broadcasts a BLE advertisement containing a public key (SECP224R1 elliptic curve)
  2. Any nearby iPhone (iOS 13+) detects the beacon, grabs its own GPS coordinates, encrypts the location with the public key, and uploads it to Apple’s servers
  3. Apple stores the encrypted reports but cannot decrypt them – they don’t know which account the key belongs to
  4. Only someone with the corresponding private key can download and decrypt the location reports via Apple’s API

The beauty of this design is that Apple’s own end-to-end encryption works in your favor – billions of iPhones become your tracking network for free.

Key generation options

FindMyFlipper offers two approaches:

  • Option A – Tag Cloning: Clone a real AirTag’s BLE advertisement. Requires a physical AirTag, and you can track via the native FindMy app. The catch: the original tag must stay powered off, otherwise key rotation will invalidate your clone.
  • Option B – Key Generation (what I used): Generate synthetic key pairs using the OpenHaystack protocol. No physical tag needed, but you’ll need Docker + Python to query location reports.

Setup – Option B with anisette-v3-server

Prerequisites

  • Docker Desktop
  • Python 3
  • Git
  • An Apple ID with regular SMS/MFA enabled (more on this below)

Step 1: Clone the repo

git clone https://github.com/MatthewKuKanich/FindMyFlipper.git

Step 2: Start the anisette server

The anisette-v3-server generates device provisioning tokens (X-Apple-I-MD and X-Apple-I-MD-M headers) that Apple requires during authentication. It emulates a real Apple device, making Apple’s servers accept your requests.

docker run -d --restart always --name anisette-v3 \
  -p 6969:6969 \
  --volume anisette-v3_data:/home/Alcoholic/.config/anisette-v3/lib/ \
  dadoum/anisette-v3-server:latest

Step 3: Set up Python environment

cd FindMyFlipper/AirTagGeneration
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Step 4: Generate keys

python3 generate_keys.py

This creates a .keys file in the keys/ directory containing the private key, advertisement key, and hashed advertisement key. Keep this file safe – it’s your only way to decrypt location reports.

Step 5: Transfer to Flipper Zero

Copy the .keys file to your Flipper’s SD card at:

apps_data/findmy/

On the Flipper, launch the FindMyFlipper app, go to Config > Import Tag From File, select your .keys file, choose Apple as the tag type, and save.

Running in background on Momentum firmware

If you’re running Momentum firmware (which I’d recommend), FindMyFlipper starts broadcasting automatically at boot – no need to manually launch the app each time. It runs in the background with negligible battery impact while all other Flipper functions remain available.

On stock firmware you’d need to manually start the app after each reboot.

Querying location reports

This is where it gets interesting. After your Flipper has been broadcasting for a while (first report can take up to 30 minutes), you can fetch the encrypted location reports from Apple’s servers.

Fetch reports

python3 request_reports.py

You’ll be prompted for your Apple ID and password. After SMS 2FA verification, credentials are cached in keys/auth.json for future use.

The script calls Apple’s API endpoint https://gateway.icloud.com/acsnservice/fetch, downloads encrypted reports, and decrypts them using your private key. Each report contains latitude, longitude, confidence level, and timestamp.

Generate an interactive map

python3 RequestReport&Map.py

This generates an HTML file with an interactive map using Folium (a Leaflet.js wrapper) showing:

  • OpenStreetMap base layer
  • Animated trajectory with timestamps
  • Start/end times, number of pings, elapsed time

If you just want a quick link for a single coordinate, the script also outputs Google Maps URLs:

https://maps.google.com/maps?q=LATITUDE,LONGITUDE

Custom script for Google Maps

Here’s a minimal Python script to fetch the latest coordinates and open them in Google Maps:

import json
import webbrowser

with open("data.json", "r") as f:
    reports = json.load(f)

if reports:
    latest = max(reports, key=lambda r: r["timestamp"])
    lat = latest["latitude"]
    lon = latest["longitude"]
    url = f"https://maps.google.com/maps?q={lat},{lon}"
    print(f"Latest location: {lat}, {lon}")
    print(f"Google Maps: {url}")
    webbrowser.open(url)
else:
    print("No reports found")

Run request_reports.py first to populate data.json, then run this script to open the latest location in your browser.

Important limitation: Apple ID and hardware security keys

If your Apple ID uses hardware security keys (like YubiKey) as the sole MFA method, this will not work. The authentication library (pypush_gsa_icloud.py) only implements SMS 2FA and Trusted Device 2FA. Hardware security key (FIDO/WebAuthn) authentication is not supported.

You need an Apple ID with regular SMS-based MFA to query location reports. I’d recommend using a secondary/throwaway Apple ID for this purpose.

Summary

FindMyFlipper is an excellent way to keep tabs on your Flipper Zero’s location by piggybacking on Apple’s massive FindMy network. The setup with Option B and anisette-v3-server is a bit involved, but once configured it just works – especially on Momentum firmware where it runs automatically in the background.

The main things to remember:

  • Use Option B with anisette-v3-server for a fully self-contained setup (no physical AirTag needed)
  • Run the anisette Docker container persistently
  • Your Apple ID must use regular SMS MFA, not hardware security keys
  • First location report can take up to 30 minutes
  • Momentum firmware enables automatic background broadcasting

References