Allll I want for christmaaaaas is *glitch* death of GenAI industry

Since we're on the topic of Cellebrite: #postmarketOS is NOT vulnerable. Among devices that police seized from my friend was Xiaomi Poco F1 (xiaomi-beryllium) running postmarketOS build I pmbootstraped in late January 2024 (without LUKS2). Police seized the device 2 weeks after I gave it to said friend. They tried to exploit it, but gave up. Mainline Linux kernel (6.6 at the time) did not have vulnerabilities in USB HID drivers. To mitigate further against tools such as Cellebrite, we could enable USB authentication which prevents kernel modules from loading prior to user's consent. Problem with that approach is that Desktop Environments have authentication implemented for Thunderbolt, but not for USB.

home | USBGuard

USBGuard project site.

I really would like to see SELinux implemented as well, but it would be a Herculean effort because rules would need to be hand-written for Alpine.

About 1.5 years ago my friend was (wrongly) accused of terrorism. All of their electronic devices have been seized, plus my stash of hard drives (which were at their place for reasons). Of course they didn’t find any evidence. Culprit that framed my friend (and many others) was arrested (article in Polish). Upon returning the hardware, I found that all of my harddrives have been destroyed, which made me (understandably) pissed. We’re very good friends, so I’ve been given their personal phone that was pwned with cellebrite. It hasn’t been turned on since police extracted data from it so I decided to do some forensics on it. As it turns out, police forgot to clean after themselves. Took a peek at the first-stage payload but it’s too complex for me to reverse-engineer. It’s clear it’s full of obfuscations and is even using TLS to talk to Cellebrite box. If you’re a security researcher (or just curious nerd with more spoons than me) and you wanted to take a look at it - here you go. Payload was uploaded onto the device on 2024-02-21. If you want to re-create the environment it was executed on, you will need a: Samsung Z Flip3 5G (SM-F711B) Android build SP2A_220305.013.F711BXXS2CVHF Rough execution flow: 1. USB device plugged in (Cellebrite Cheetah) 2. USB controller switches to host mode 3. Gadget switching USB VID/PID to load kernel modules 4. Module 'hid_akeys' leaks memory 5. Screen unlocked 6. ADB key '82:E5:EA:F3:DC:D1:7D:CA:65:3C:D4:58:65:CD:81:8E' added to trusted keys on the device 7. First-stage payload '/data/local/tmp/falcon' copied onto the device. 8. Second-stage payload executed as root: - /data/local/tmp/chrome-command-line - /data/local/tmp/android-webview-command-line - /data/local/tmp/webview-command-line - /data/local/tmp/content-shell-command-line - /data/local/tmp/frida-server-16.1.4-android-arm64 - /data/local/tmp/init 9. Data extraction (photos, telegram, firefox, downloads) # Unanswered question: What the hell is "jtcb.sdylj.axpa" running as root? Seems to have been dropped around the same time... Have fun!