// the find
furiousMAC/continuity
Apple Continuity Protocol Reverse Engineering and Dissector
A research project reverse-engineering Apple's proprietary Continuity BLE protocol — the stack behind AirDrop, Handoff, AirPlay, Find My, and a dozen other Apple-ecosystem features. Comes with Wireshark dissectors that let you actually inspect this traffic. For security researchers, privacy engineers, and anyone building BLE tools who needs to understand what Apple devices are broadcasting.
The wire-format documentation is unusually precise — field-level breakdowns with byte offsets and known values for 14 distinct message types. The Wireshark dissector is the practical payoff: you get working packet inspection without writing anything yourself. It's grounded in peer-reviewed work (two PETS papers) so the findings have been scrutinized. The dissector has been kept updated through Wireshark 4.4.0, which is relatively recent.
Dissector updates are distributed as full patched copies of packet-bthci_cmd.c per Wireshark version, which means no plugin architecture — every new Wireshark release potentially needs a new copy committed to the repo. The project is documentation-heavy but tooling-light: there's no parsing library you can import, just Markdown tables and the Wireshark dissector. Many field values are still marked unknown, and Apple's frequent protocol updates mean the docs lag behind current iOS/macOS. Last meaningful update was early 2026 but activity has been sparse since 2020.