v1.3
The Find My Device Network (FMDN) accessory specification defines an end-to-end encrypted approach for tracking beaconing Bluetooth Low Energy (BLE) devices. This page describes FMDN as an extension to the Fast Pair specification. Providers should enable this extension if they have devices that are compatible with FMDN and are willing to enable location tracking for those devices.
GATT Specification
An additional generic attributes (GATT) characteristic should be added to the Fast Pair Service with the following semantics:
| Fast Pair Service characteristic | Encrypted | Permissions | UUID |
|---|---|---|---|
| Beacon actions | No | Read, write and notify | FE2C1238-8366-4814-8EB0-01DE32100BEA |
Table 1: Fast Pair Service characteristics for FMDN.
Authentication
The operations required by this extension are performed as a write operation, secured by a challenge-response mechanism. Prior to performing any operation, the Seeker is expected to perform a read operation from the characteristic in table 1, which results in a buffer in the following format:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Protocol major version number | 0x01 |
| 1 - 8 | byte array | One-time random nonce | varies |
Each read operation should result in a different nonce, and a single nonce should be valid only for a single operation. The nonce must be invalidated even if the operation failed.
The Seeker then calculates a one-time authentication key to be used in a subsequent write request. The authentication key is calculated as described in tables 2 through 5. Depending on the operation being requested, the Seeker proves knowledge of one or more of the following keys:
Account key: The 16-byte Fast Pair account key, as defined in the Fast Pair specification.
Owner account key: The Provider chooses one of the existing account keys as the owner account key the first time a Seeker accesses the Beacon Actions characteristic. The chosen owner account key can't be changed until the Provider is factory reset. The Provider must not remove the owner account key when it runs out of free account key slots.
Providers that already support FMDN when paired for the first time (or support it when paired after factory reset) choose the first account key, because this is the only existing account key when the Seeker reads the provisioning state during pairing.
Providers that gain FMDN support after they're already paired (for example, through a firmware update) can choose any existing account key. It's reasonable to choose the first account key that is used to read the provisioning state from the beacon actions characteristic after the firmware update, assuming the user who performed the update is the Provider's current owner.
Ephemeral identity key (EIK): A 32-byte key chosen at random by the Seeker when performing the FMDN provisioning process. This key is used to derive cryptographic keys that are used for end-to-end encrypting location reports. The Seeker never reveals it to the backend.
Recovery key: Defined as
SHA256(ephemeral identity key || 0x01), truncated to the first 8 bytes. The key is stored on the backend and the Seeker can use it to recover the EIK, provided the user expresses consent by pressing a button on the device.Ring key: Defined as
SHA256(ephemeral identity key || 0x02), truncated to the first 8 bytes. The key is stored on the backend and the Seeker can use it only to ring the device.Unwanted tracking protection key: Defined as
SHA256(ephemeral identity key || 0x03), truncated to the first 8 bytes. The key is stored on the backend and the Seeker can use it only to activate unwanted tracking protection mode.
Operations
The format of the data written to the characteristic is given in tables 2 through 5. Each of the operations is discussed in more details later in this section.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Data ID |
|
| 1 | uint8 | Data length | varies |
| 2 - 9 | byte array | One-time authentication key | The first 8 bytes of
HMAC-SHA256(account key, protocol major version number || the last nonce
read from the characteristic || data ID || data length || additional data) |
| 10 - var | byte array | Additional data |
|
Table 2: Beacon provisioning request.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Data ID | 0x04: Read ephemeral identity key with user consent |
| 1 | uint8 | Data length | 0x08 |
| 2 - 9 | byte array | One-time authentication key | The first 8 bytes of
HMAC-SHA256(recovery key, protocol major version number || the last nonce
read from the characteristic || data ID || data length) |
Table 3: Beacon provisioning key recovery request.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Data ID |
|
| 1 | uint8 | Data length | varies |
| 2 - 9 | byte array | One-time authentication key | The first 8 bytes of
HMAC-SHA256(ring key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || additional data) |
| 10 - var | byte array | Additional data |
|
Table 4: Ringing request.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Data ID |
|
| 1 | uint8 | Data length | varies |
| 2 - 9 | byte array | One-time authentication key | The first 8 bytes of
HMAC-SHA256(unwanted tracking protection key, protocol major version number
|| the last nonce read from the characteristic || data ID || data length ||
additional data) |
| 10 - var | byte array | Additional data |
|
Table 5: Unwanted tracking protection request.
Successful writes trigger notifications as listed in table 6.
Notifications with data ID other than 0x05: Ring state change should be sent before the write transaction that triggers the notification is completed, that is, before a response PDU for the write request is sent.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Data ID |
|
| 1 | uint8 | Data length | varies |
| 2 - 9 | byte array | Authentication | Detailed per operation |
| 10 - var | byte array | Additional data |
|
Table 6: Beacon service response.
Table 7 lists the possible GATT error codes returned by the operations.
| Code | Description | Notes |
|---|---|---|
| 0x80 | Unauthenticated | Returned in response to a write request when authentication fails (including the case where an old nonce was used). |
| 0x81 | Invalid value | Returned when any invalid value is provided or the data received has an unexpected number of bytes. |
| 0x82 | No user consent | Returned in response to a write request with data ID 0x04: Read ephemeral identity key with user consent when the device isn't in pairing mode. |
Table 7: GATT error codes.
Read the beacon's parameter
The Seeker can query the Provider for the beacon's parameters by performing a write operation to the characteristic consisting of a request from table 2 with data ID 0x00. The Provider verifies that the provided one-time authentication key matches any of the account keys stored on the device.
If verification fails the Provider returns an unauthenticated error.
On success, the Provider notifies with a response from table 6 with data ID 0x00. The Provider constructs the data segment as follows:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Calibrated power | The calibrated power as received at 0m (a value in the range [-100, 20]). Represented as a signed integer, with 1 dBm resolution. |
| 1 - 4 | uint32 | Clock value | The current clock value in seconds (big endian). |
| 5 | uint8 | Curve selection | The elliptic curve being used for encryption:
|
| 6 | uint8 | Components | The number of components capable of ringing:
|
| 7 | uint8 | Ringing capabilities | The supported options are:
|
| 8-15 | byte array | Padding | Zero padding for AES encryption. |
The data should be AES-ECB-128 encrypted with the account key used for authenticating the request.
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(account key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || additional data after
encryption || 0x01).
Read the beacon's provisioning state
The Seeker can query the Provider for the beacon's provisioning state by performing a write operation to the characteristic consisting of a request from table 2 with data ID 0x01. The Provider verifies that the provided one-time authentication key matches any of the account keys stored on the device.
If verification fails, the Provider returns an unauthenticated error.
On success, the Provider notifies with a response from table 6 with data ID 0x01. The Provider constructs the data segment as follows:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Provisioning state | A bitmask having the following values:
|
| 1 - 20 or 32 | byte array | Current ephemeral identifier | 20 or 32 bytes (depending on the encryption method being used) indicating the current ephemeral ID advertised by the beacon, if one is set for the device. |
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(account key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || additional data || 0x01).
Set an ephemeral identity key
To provision an unprovisioned Provider as an FMDN beacon, or change the ephemeral identity key of already provisioned Provider, the Seeker performs a write operation to the characteristic consisting of a request from table 2 with data ID 0x02. The Provider verifies that:
- The provided one-time authentication key matches the owner account key.
- If a hash of an ephemeral identity key was provided, the hashed ephemeral identity key matches the current ephemeral identity key.
- If a hash of an ephemeral identity key wasn't provided, verify that the Provider wasn't already provisioned as an FMDN beacon.
If verification fails, the Provider returns an unauthenticated error.
On success, the ephemeral identity key is recovered by AES-ECB-128 decrypting it using the matched account key. The key should be persisted on the device, and from that point on the Provider should start advertising FMDN frames. The new ephemeral identity key takes effect immediately after the BLE connection is terminated. The Provider notifies with a response from table 6 with data ID 0x02.
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(account key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || 0x01).
Clear the ephemeral identity key
To unprovision the beacon portion of the Provider, the Seeker performs a write operation to the characteristic, consisting of a request from table 2 with data ID 0x03. The Provider verifies that:
- The provided one-time authentication key matches the owner account key.
- The hashed ephemeral identity key matches the current ephemeral identity key.
If the Provider isn't provisioned as an FMDN beacon or verification fails, it returns an unauthenticated error.
On success, the Provider forgets the key and stops advertising FMDN frames.
The Provider notifies with a response from table 6 with data ID 0x03.
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(account key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || 0x01).
Read the ephemeral identity key with user consent
This option is only available to recover a lost key, as the key is only stored locally by the Seeker. As such, this capability is available only when the device is in pairing mode or for some limited time after a physical button was pressed on the device (which constitutes user consent).
The Seeker must store the recovery key on the backend to be able to recover the cleartext key, but it doesn't store the EIK itself.
To read the EIK, the Seeker performs a write operation to the characteristic, consisting of a request from table 3 with data ID 0x04. The Provider verifies that:
- The hashed recovery key matches the expected recovery key.
- The device is in EIK recovery mode.
If verification fails, the Provider returns an unauthenticated error.
If the device isn't in pairing mode, the Provider returns a No User Consent error.
On success, the Provider notifies with a response from table 6 with data ID 0x04.
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(recovery key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || additional data || 0x01).
Ring operation
The Seeker can ask the Provider to play a sound by performing a write operation to the characteristic, consisting of a request from table 4 with data ID 0x05. The Provider constructs the data segment as follows:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Ring operation | A bitmask having the following values:
|
| 1 - 2 | uint16 | Timeout | The timeout in deciseconds. Must not be zero and must not
be greater than the equivalent of 10 minutes. The Provider uses this value to determine how long it should ring before silencing itself. The timeout overrides the one already in effect if any component of the device is already ringing. If ring operation is set to 0x00, the timeout is ignored. |
| 3 | uint8 | Volume |
|
Upon receiving the request, the Provider verifies that:
- The provided one-time authentication key matches the ring key.
- The requested state matches the components that can ring.
If the Provider isn't provisioned as an FMDN beacon or verification fails, it returns an unauthenticated error. However, if the Provider has unwanted tracking protection active, and the triggering unwanted tracking protection request had the skip ringing authentication flag turned on, the Provider should skip that check. The authentication data is still expected to be provided by the Seeker, but it could be set to an arbitrary value.
When ringing starts or terminates a notification is sent as indicated in table 6 with data ID 0x05. The contents of the notification are defined as follows:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Ringing state |
|
| 1 | uint8 | Ringing components | A bitmask of the components actively ringing, as defined in the request. |
| 2 - 3 | uint16 | Timeout | The remaining time for ringing in deciseconds. If the device has stopped ringing, 0x0000 should be returned. |
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(ring key, protocol major version number || the nonce used to
initiate the ringing command || data ID || data length || additional data ||
0x01).
If the device is already in the requested ring state when a request to ring or stop ringing is received, the Provider should send a notification with a ringing state or either 0x00: Started or 0x04: Stopped (GATT request), respectively. This request overrides the existing state's parameters, so that the ringing duration can be extended.
If the Provider has a physical button (or touch sense is enabled), that button should stop the ringing function if pressed while the ringing is active.
Get the beacon's ringing state
To get the ringing state of the beacon, the Seeker performs a write operation to the characteristic, consisting of a request from table 4 with data ID 0x06. The Provider verifies that the provided one-time authentication key matches the ring key.
If the Provider isn't provisioned as an FMDN beacon or if verification fails, the Provider returns an unauthenticated error.
On success, the Provider notifies with a response from table 6 with data ID 0x06. The Provider constructs the data segment as follows:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Ringing components | The components actively ringing, as defined in the ringing request. |
| 1 - 2 | uint16 | Timeout | The remaining time for ringing in deciseconds. Note that if the device isn't ringing, 0x0000 should be returned. |
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256 (ring key, protocol major version number || the last nonce read
from the characteristic || data ID || data length || additional data || 0x01).
Unwanted tracking protection mode
Unwanted tracking protection mode is intended to let any client identify abusive devices with no server communication. By default, the Provider should rotate all identifiers as described in ID rotation. The Find My Device service can relay an unwanted tracking protection mode activation request through the Find My Device network. By doing so, the service causes the Provider to temporarily use a fixed MAC address, allowing clients to detect the device and warn the user of possible unwanted tracking.
To activate or deactivate the unwanted tracking protection mode of the beacon, the Seeker performs a write operation to the characteristic, consisting of a request from table 5 with data ID 0x07 or 0x08 respectively.
When enabling unwanted tracking protection mode
The Provider constructs the data segment as follows:
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Control Flags |
The flags are in effect only until the unwanted tracking protection mode is deactivated. |
The Provider verifies that the provided one-time authentication key matches the unwanted tracking protection key. If the Provider isn't provisioned as an FMDN beacon or verification fails, it returns an unauthenticated error.
When unwanted tracking protection mode is activated, the beacon should reduce MAC private address rotation frequency to once per 24 hours. The advertised ephemeral identifier should keep rotating as usual. The frame type should be set to 0x41. The state is also reflected in the hashed flags section.
When disabling unwanted tracking protection mode
The Provider verifies that:
- The provided one-time authentication key matches the unwanted tracking protection key.
- The hashed ephemeral identity key matches the current ephemeral identity key.
If the Provider isn't provisioned as an FMDN beacon or verification fails, the Provider returns an unauthenticated error.
When unwanted tracking protection mode is deactivated, the beacon should start rotating the MAC address at a normal rate again, synchronized with ephemeral identifier rotation. The frame type should be set back to 0x40. The state is also reflected in the hashed flags section.
On success, the Provider notifies with a response from table 6 with data ID 0x07 or 0x08.
The authentication segment is defined as the first 8 bytes of
HMAC-SHA256(unwanted tracking protection key, protocol major version number ||
the last nonce read from the characteristic || data ID || data length ||
0x01).
Advertised frames
After provisioning, the Provider is expected to advertise FMDN frames at least once every 2 seconds. If Fast Pair frames are advertised, the Provider should interleave the FMDN frames within the regular Fast Pair advertisements. For example, every two seconds, the Provider should advertise seven Fast Pair advertisements and one FMDN advertisement.
The FMDN frame carries a public key used to encrypt location reports by any supporting client that contributes to the crowdsourcing network. Two types of elliptic curve keys are available: a 160-bit key that fits legacy BLE 4 frames, or 256-bit key that requires BLE 5 with extended advertising capabilities. The Provider's implementation determines which curve is used.
An FMDN frame is structured as follows.
| Octet | Value | Description |
|---|---|---|
| 0 | 0x02 | Length |
| 1 | 0x01 | Flags data type value |
| 2 | 0x06 | Flags data |
| 3 | 0x18 or 0x19 | Length |
| 4 | 0x16 | Service data data type value |
| 5 | 0xAA | 16-bit service UUID |
| 6 | 0xFE | ... |
| 7 | 0x40 or 0x41 | FMDN frame type with unwanted tracking protection mode indication |
| 8..27 | 20-byte ephemeral identifier | |
| 28 | Hashed flags |
Table 8: FMDN frame supporting a 160-bit curve.
Table 9 shows the byte offsets and values for a 256-bit curve.
| Octet | Value | Description |
|---|---|---|
| 0 | 0x02 | Length |
| 1 | 0x01 | Flags data type value |
| 2 | 0x06 | Flags data |
| 3 | 0x24 or 0x25 | Length |
| 4 | 0x16 | Service data data type value |
| 5 | 0xAA | 16-bit service UUID |
| 6 | 0xFE | ... |
| 7 | 0x40 or 0x41 | FMDN frame type with unwanted tracking protection mode indication |
| 8..39 | 32-byte ephemeral identifier | |
| 40 | Hashed flags |
Table 9: FMDN frame supporting a 256-bit curve.
Ephemeral identifier (EID) computation
A random is generated by AES-ECB-256 encrypting the following data structure with the ephemeral identity key:
| Octet | Field | Description |
|---|---|---|
| 0 - 10 | Padding | Value = 0xFF |
| 11 | K | Rotation period exponent |
| 12 - 15 | TS[0]...TS[3] | Beacon time counter, in 32-bit big-endian format. The K lowest bits are cleared. |
| 16 - 26 | Padding | Value = 0x00 |
| 27 | K | Rotation period exponent |
| 28 - 31 | TS[0]...TS[3] | Beacon time counter, in 32-bit big-endian format. The K lowest bits are cleared. |
Table 10: Construction of a pseudorandom number.
The result of this computation is a 256-bit number, denoted r'.
For the rest of the calculation, SECP160R1 or SECP256R1 are used for
elliptic curve cryptographic operations. See curve definitions in
SEC 2: Recommended Elliptic Curve Domain Parameters, which defines Fp, n and G
referenced next.
r' is now projected to the finite field Fp by calculating r = r' mod n.
Finally, compute R = r * G, which is a point on the curve representing the
public key being used. The beacon advertises Rx, which is the x coordinate
of R, as its ephemeral identifier.
Hashed flags
The hashed flags field is calculated as follows (bits are referenced from most significant to least significant):
- Bits 0-4: Reserved (set to zeros).
- Bits 5-6 indicates the battery level for the device as follows:
- 00: Battery level indication unsupported
- 01: Normal battery level
- 10: Low battery level
- 11: Critically low battery level (battery replacement needed soon)
- Bit 7 is set to 1 if the beacon is in unwanted tracking protection mode, and 0 otherwise.
To produce the final value of this byte, it is xor-ed with the least significant
byte of SHA256(r).
Note that r should be aligned to the curve's size. Add zeros as most significant bits if its representation is shorter than 160 or 256 bits, or the most significant bits should be truncated if its representation is larger than 160 or 256 bits.
If the beacon doesn't support battery level indication, and isn't in unwanted tracking protection mode, it's allowed to omit this byte entirely from the advertisement.
Encryption with EID
To encrypt a message m, a sighter (having read Rx from the beacon) would do
the following:
- Choose a random number
sinFp, as defined in the EID computation section. - Compute
S = s * G. - Compute
R = (Rx, Ry)by substitution in the curve equation and picking an arbitraryRyvalue out of the possible results. - Compute the 256-bit AES key
k = HKDF-SHA256((s * R)x)where(s * R)xis thexcoordinate of the curve multiplication result. Salt isn't specified. - Let
URxandLRxbe the upper and lower 80-bits ofRx, respectively, in big-endian format. In a similar way, defineUSxandLSxforS. - Compute
nonce = LRx || LSx. - Compute
(m’, tag) = AES-EAX-256-ENC(k, nonce, m). - Send
(URx, Sx, m’, tag)to the owner, possibly through an untrusted remote service.
Decryption of values encrypted with EID
The owner's client, which is in possession of the EIK and the rotation period exponent, decrypts the message as follows:
- Given
URx, obtain the beacon time counter value on whichURxis based. This can be done by the owner's client computingRxvalues for beacon time counter values for the recent past and near future. - Given the beacon time counter value on which
URxis based, compute the anticipated value ofras defined in the EID computation section. - Compute
R = r * G, and verify a match to the value ofURxprovided by the sighter. - Compute
S = (Sx, Sy)by substitution in the curve equation and picking an arbitrarySyvalue out of the possible results. - Compute
k = HKDF-SHA256((r * S)x)where(r * S)xis thexcoordinate of the curve multiplication result. - Compute
nonce = LRx || LSx. - Compute
m = AES-EAX-256-DEC(k, nonce, m’, tag).
ID rotation
A resolvable (RPA) or non-resolvable (NRPA) BLE address must be used for advertising FMDN frames. RPA is required for LE Audio (LEA) devices and is recommended for other devices, with the exception of locator tags that don't use bonding.
Fast Pair advertisement, FMDN advertisement and the corresponding BLE address(es) should rotate at the same time. Rotation should happen every 1024 seconds on average. The precise point at which the beacon starts advertising the new identifier must be randomized within the window.
The recommended approach to randomize the rotation time is to set it to the next anticipated rotation time (if no randomization was applied) plus a positive randomized time factor in the range of 1 to 204 seconds.
When the device is in unwanted tracking protection mode, the BLE address of the FMDN advertisement should be fixed, but the RPA for FP non-discoverable advertisement (such as Fast Pair) must keep rotating. It's acceptable to use different addresses for the different protocols.
Recovery from power loss
Resolving the ephemeral identifier is strongly tied to its clock value at the time of the advertisement, so it's important that the Provider can recover its clock value if there's a power loss. It is recommend that the Provider writes its current clock value to nonvolatile memory at least once per day, and that at boot time the Provider checks the NVM to see if there's a value present from which to initialize. Resolvers of the ephemeral identifier would implement resolution over a time window sufficient to allow for both reasonable clock drift and this type of power loss recovery.
Providers should still make all efforts to minimize clock drifts, as the resolution time window is limited. At least one additional clock synchronization method should be implemented (advertising non-discoverable Fast Pair frames or implementing the message stream).
Fast Pair implementation guidelines
This section describes special aspects of the Fast Pair implementation on Providers that support FMDN.
Locator tag specific guidelines
- If the Provider was paired, but FMDN wasn't provisioned within 5 minutes (or if an OTA update was applied while the device is paired but not FMDN-provisioned), the Provider should revert to its factory configuration and clear the stored account keys.
- After the Provider is paired, it shouldn't change its MAC address until FMDN is provisioned or until 5 minutes pass.
- If the ephemeral identity key is cleared from the device, the device should perform a factory reset and clear the stored account keys as well.
- The Provider should reject normal Bluetooth pairing attempts and accept only Fast Pair pairing.
- The Provider must include a mechanism that lets users temporarily stop advertising without factory resetting the device (for example, pressing a combination of buttons).
- After a power loss, the device should advertise non-discoverable Fast Pair frames until the next invocation of read beacon parameters. This lets the Seeker detect the device and synchronize the clock even if a significant clock drift occurred.
- When advertising non-discoverable Fast Pair frames, UI indications shouldn't be enabled.
- Discoverable Fast Pair frames shouldn't be advertised while the Provider is provisioned for FMDN.
- The Provider shouldn't expose any identifying information information in an unauthenticated manner (e.g. names or identifiers).
Classic Bluetooth device-specific guidelines
This section describes special aspects of classic Bluetooth devices that support FMDN.
FMDN provisioning of already paired devices
The Provider isn't always provisioned for FMDN when pairing with the Seeker, but a while after that. In that case, the Provider might not have an up-to-date BLE MAC address that's required to establish a GATT connection. The Provider must support at least one of the following ways for the Seeker to get its BLE address while it's already paired:
- The Provider can periodically advertise the Fast Pair account data
that lets the Seeker find its BLE address through a BLE scan.
This approach suits Providers that don't implement the message stream. - The Provider can provide this data through the Fast Pair message stream over
classic Bluetooth.
This approach suits Providers that don't advertise Fast Pair frames while connected to the Seeker over Bluetooth.
Supporting both approaches increases the chances that the user can provision the device for FMDN.
Fast Pair message stream
The Provider can implement Fast Pair message stream and use it to notify the Seeker about Device information. Implementing the message stream enables certain features as described in this section.
The Provider should send device information messages once every time the message stream RFCOMM channel is established.
Firmware version (device information code 0x09) and the tracking capability
When a firmware update adds FMDN support to the Provider, a connected Seeker can notify the user about that and offer to provision it. Otherwise, the user has to navigate to the Bluetooth device list manually to initiate FMDN provisioning.
To allow that, the Provider should use the Firmware version property (code 0x09) to report a string value that represents the firmware version. In addition, the Provider should support the protocol that lets the Seeker know about Capability changes due to firmware updates.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Device information event | 0x03 |
| 1 | uint8 | Firmware version | 0x09 |
| 2 - 3 | uint16 | Additional data length | varies |
| var | byte array | Version string | varies |
Table 11: Device information event: updated firmware version.
Upon receiving a capability update request (0x0601), if the Provider has enabled support for FMDN tracking, it should respond as shown in table 12.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Device capability sync event | 0x06 |
| 1 | uint8 | FMDN tracking | 0x03 |
| 2 - 3 | uint16 | Additional data length | 0x0007 |
| 4 | uint8 | FMDN provisioning state | 0x00 if unprovisioned; 0x01 if provisioned by any account |
| 5 - 10 | byte array | The current BLE MAC address of the device | varies |
Table 12: Device capability sync event: added tracking capability.
Current ephemeral identifier (device information code 0x0B)
The Provider can use the current ephemeral identifier (code 0x0B) to report the current EID and clock value when the Provider is provisioned for FMDN, to sync the Seeker in case of a clock drift (for example, due to drained battery). Otherwise, the Seeker initiates a more expensive and less reliable connection for this purpose.
| Octet | Data Type | Description | Value |
|---|---|---|---|
| 0 | uint8 | Device information event | 0x03 |
| 1 | uint8 | Current ephemeral identifier | 0x0B |
| 2 - 3 | uint16 | Additional data length | 0x0018 or 0x0024 |
| 4 - 7 | byte array | Clock value | Example: 0x13F9EA80 |
| 8 - 19 or 31 | byte array | Current EID | Example: 0x1122334455667788990011223344556677889900 |
Table 13: Device information event: clock sync.
Factory reset
For devices that support factory reset: if a factory reset is performed, the Provider must stop beaconing and wipe out the ephemeral identity key and all stored account keys, including the owner's account key.
After a factory reset (either manual or programmatic), the Provider shouldn't start advertising Fast Pair right away, to prevent the pairing flow to start immediately after the user deletes the device.
Unwanted tracking prevention
Certified FMDN devices must also meet the requirements in the implementation version of the cross-platform specification for Detecting Unwanted Location Trackers (DULT).
Relevant guidelines specific to FMDN to be compliant with DULT spec:
- Any FMDN compatible device must be registered in the Nearby Device Console, and have the "Find My Device" capability activated.
- The device must implement the Accessory Non-Owner service and characteristic defined in the implementation version of the DULT spec, including the Accessory Information operations and Non-owner controls.
- During the backward compatibility period, as defined in the DULT spec, there are no changes to the advertised frame as defined in this document.
- "Unwanted tracking protection mode" defined in this document maps to the "separated state" defined by the DULT spec.
- Guidelines for implementing the Accessory Information opcodes:
- Get_Product_Data should return the model ID provided by the console, zero padded to fit the 8-byte requirement. For example, model ID 0xFFFFFF is returned as 0x0000000000FFFFFF.
- Get_Manufacturer_Name and Get_Model_Name should match the values provided in the console.
- Get_Accessory_Category can return the generic "Location Tracker" value if no other category better fits the type of the device.
- Get_Accessory_Capabilities must indicate the support for ringing as well as BLE identifier lookup.
- Get_Network_ID should return Google's identifier (0x02).
- Guidelines for implementing the Get_Identifier opcode:
- The operation should only return a valid response for 5 minutes after the user activated the 'identification' mode, which requires a combination of button presses. A visual or audio signal should indicate to the user that the provider entered that mode. The model-specific instructions for activating that mode must be provided to Google as a requirement for certification and at least 10 days prior to any update or modification to the instructions.
- The response is constructed as: the first 10 bytes of current ephemeral
identifier, followed by the first 8 bytes of
HMAC-SHA256(recovery key, the truncated current ephemeral identifier).
- Guidelines for implementing Identifier over NFC:
- As a URL, use
find-my.googleapis.com/lookup. - As the
eparameter, use the same response as constructed for Get_Identifier, hex encoded. - As the
pidparameter, use the same response as constructed for Get_Product_Data, hex encoded.
- As a URL, use
- Guidelines for implementing the Sound_Start opcode:
- The command should trigger ringing in all available components.
- The maximal supported volume should be used.
- The recommended duration for ringing is 12 seconds.
- Locator tags must include a mechanism that lets users temporarily stop
advertising without factory resetting the device (for example, pressing a
combination of buttons).
- The disablement instructions must be documented in a publicly available URL and provided to Google as a requirement for certification and at least 10 days prior to any update or modification to the instructions.
- The URL should support localization. Depending on the client, the language will be provided either as a query param ("hl=en") or using the "accept-language" HTTP header.
Switchable protocol guidelines
- Only one protocol should be used at a time. Ensure that no more than one network can operate on the device simultaneously. This requirement is needed to ensure that there is no commingling of sensitive user data between varying protocols.
- It is suggested to incorporate a hard reset workflow into the device that allows a user to re-setup a device with a different network.
- The process of updating a device to a network should be user friendly and equitable between networks. A user must be able to choose which network they want to use without giving preference to one of the networks. This flow needs to be approved by the Google team.
Firmware updates
The process and distribution of OTA updates should be managed by the partner using their own Mobile or Web app workflow.
Compatibility
Find My Device network requires location services and Bluetooth to be turned on. Requires cell service or internet connection. Works on Android 9+ and in certain countries for age-eligible users.
Changelog
| FMDN Version | Date | Comment |
|---|---|---|
| v1 | Initial release of the FMDN spec for early access. | |
| v1.1 | Feb 2023 |
|
| v1.2 | Apr 2023 |
|
| v1.3 | Dec 2023 |
|