Why is it possible to locate the iPhone with the 'Search' function even when the power is off?

With the official release of iOS 15 on September 21, 2021, the Find My feature for finding the location of Apple devices has been enhanced, and some iPhones are powered off. It is now possible to search. Hacker Jiska explains how it's possible to find an iPhone that has been turned off.

Always-on Processor magic: How Find My works while iPhone is powered off
https://twitter.com/craiu/status/1442412803546099713

The 'Search' function installed from iOS 13 is safe by picking up the Bluetooth beacon of the target device on the Bluetooth network using the nearby Apple terminal and uploading the public key of the encrypted terminal's location information to iCloud. You can search for the location of the terminal.

What is the mechanism of the 'Find My' function that can be located even on offline terminals announced by Apple? --GIGAZINE

by William Hook

This 'find' feature has been improved in iOS 15 to allow you to track your location in real time even on a powered iPhone.

In the next OS 'iOS 15' of iPhone, even if the smartphone is turned off, it can be detected by 'search' --GIGAZINE

Since the 'find' function uses Bluetooth, it should be impossible to pinpoint the position of the iPhone with the power turned off in real time. However, the new 'find' function of iOS 15 is said to be held by the low-power auxiliary processor 'Always-on Processor (AOP)'.

There are few public documents about AOP, but according to Jiska, AOP is connected to almost every chip on the iPhone. AOP is responsible for performing only basic tasks such as power management and starting iOS as needed. For example, Apple explains that the voice assistant Siri can wake up quickly from sleep because the AOP has access to the microphone signal.

By implementing a copy of the chip driver, AOP can perform standalone processing on the chip. And the IoT application for running the Bluetooth chip standalone runs in a ThreadX thread called 'mpaf' included in the Bluetooth firmware.

In other words, even if you turn off the power and shut down iOS itself, the AOP built into the main unit keeps the Bluetooth chip running, so you can search for the iPhone with the 'find' function. In addition, even if the power is off, the terminal that supports the 'find' function will be iPhone 11 or later, but the 2nd generation iPhone SE does not include the mpaf patch.

Except for AOP, only the Bluetooth chip is running on the iPhone with the power turned off, Jiska said, 'When I tried to connect using the NFC function of AirTag, the NFC of the iPhone is It was off. ' Also, since mobile phone communication itself consumes a lot of battery, it is impossible to communicate with the power off.

From what I observed, it's just the Bluetooth chip that is in low power mode for this feature. I tried to connect via NFC, which is implemented in the AirTags for owner identification, and NFC was off. Cellular would require too much battery.

— Jiska ???????? (@naehrdine) September 30, 2021

Jiska said, 'The new'search'feature has inspired many to know that not only AOP but also Bluetooth chips can work autonomously. Someone hacks your iPhone. If you spy on it, it's likely that your iPhone isn't completely turned off, even though it's turned off on the screen. Keep your iPhone 'powered off' until you remove the battery or put it in the mixer. Don't trust me. '