About 1.5 years ago my friend was (falsely) accused of terrorism.

All of their electronic devices were seized, plus my stash of hard drives (stored at their place for reasons).

Of course police didn’t find any evidence. Culprit that impersonated my friend (and many others) got arrested recently (article in Polish).

Police returned the hardware few months ago and I found that all of my drives are now e-waste thanks to their carelessness, which made me (understandably) furious. I even considered suing them.

Said very good friend of mine entrusted me with their personal phone and pattern to unlock it. I charged and booted it for the first time since February 2024 and were curious how it was pwned. I knew police used cellebrite on it.

My crime is that of curiosity

As it turns out, police forgot to clean after themselves (there was an attempt) and left payloads, logs, and backdoor intact.

Took a peek at the first-stage payload but it’s too complex for me to reverse-engineer on my own. It’s relatively well obfuscated, but I can tell it’s using RNDIS (likely spawning a server?) and TLS-encrypted connection to talk to Cellebrite box.

If you’re a security researcher (or just curious nerd with more spoons than me) and you would like to take a look - here you go.

Payload was uploaded onto the device on 2024-02-21. If you want to re-create the environment it was executed on, you will need a:

• Samsung Z Flip3 5G (SM-F711B)
• Android build SP2A_220305.013.F711BXXS2CVHF

Rough execution flow:

1. USB device plugged in (Cellebrite Cheetah)
2. USB controller switches to host mode
3. Gadget switching USB VID/PID to load kernel modules (hid_steam, hid_apple, hid_prodikeys, hid_logitech_hidpp, hid_magicmouse, hid_aksys and tries to exploit quirks)
4. Module 'hid_aksys' leaks memory
5. Screen unlocked
6. ADB key '82:E5:EA:F3:DC:D1:7D:CA:65:3C:D4:58:65:CD:81:8E' added to trusted keys on the device
7. First-stage payload '/data/local/tmp/falcon' copied onto the device.
8. Second-stage payload (seemingly) executed as root:
	- /data/local/tmp/chrome-command-line
	- /data/local/tmp/android-webview-command-line
	- /data/local/tmp/webview-command-line
	- /data/local/tmp/content-shell-command-line
	- /data/local/tmp/frida-server-16.1.4-android-arm64
	- /data/local/tmp/init
9. Data extraction (photos, telegram, firefox, downloads)

Have fun!

@elly Seizement of all electronic devices ought to be illegal in 2025, where people need a device to participate in society (for example electronic transit tickets, online banking, online shops, electronic government services, calling a doctor for an appointment)

At the VERY least they should be obligated to provide a temporary replacement device

@elly you have a typo in the URL to the news article, it has a space before niebezpiecznik.

@a1ba it was intentional to not embed, but fixed now

@elly cellebrite just uses frida? Shit, I figured it was something custom. I'm not seeing any explicit frida scripts, but I see the stuff they're hooking/replacing.

I'm just looking at this on my phone with solid explorer, might do some testing on an emulator tomorrow

@rpgwaiter @elly when I worked at Sprint and we used celebrite to transfer data to new phones, we had maybe a 15% success rate (most times we could get a partial transfer at least). It doesn't surprise me that they aren't doing anything custom, because their custom stuff never worked.

@rpgwaiter Frida might’ve been left by my friend, phone was rooted. After first exploit phone was rebooted and system date was changed, so it was a bit tricky to figure out what happened.

For instance, if you look at the creation dates it will make no sense whatsoever:

1|b2q:/data/local/tmp # ls -alh
total 214M
drwxrwx--x 4 shell   shell    3.3K 2023-12-11 20:27 .
drwxr-x--x 6 root    root     3.3K 2023-08-03 14:23 ..
drwxrwxrwx 5 shell   shell    3.3K 2022-10-27 04:56 .studio
-rwxr--r-- 1 root    root       90 2024-01-31 13:49 android-webview-command-line
-rwxr--r-- 1 root    root       90 2024-01-31 13:49 chrome-command-line
-rwxr--r-- 1 root    root       90 2024-01-31 13:49 content-shell-command-line
-rwxr-xr-x 1 shell   shell     14M 2024-02-14 18:55 falcon
-rwxr-x--x 1 root    root      49M 2023-08-03 17:59 frida-server
-rw-r----- 1 root    root      49M 2023-09-20 21:34 frida-server-16.1.4-android-arm64
-rwxrwxrwx 1 root    root     5.7M 2023-12-13 11:09 init
drwxrwxrwx 5 shell   shell    3.3K 2022-10-29 20:28 perfd
-rwxr--r-- 1 root    root       90 2024-01-31 13:49 webview-command-line

…especially since phone was still in my friend’s possession on 14th of February. However, according to system logs, they were uploaded in the following order: https://f.sakamoto.pl/elly/cellebrite-files.txt

@TheMNWolf @elly sounds about right if that was also using frida scripts. They can be extremely flakey. I write a lot of mobile toolchains with frida for work and I always need to add retry loops and timeouts when doing certain things with it

Also wild that y'all used cellebrite for doing data transfers

@elly I see frida-server getting uploaded to the phone in these logs. I am surprised at how long it took to get added. Like they add all this studio stuff beforehand. I can only assume that all the previous stuff is setting up a root exploit or maybe telemetry, since running frida as root would be the final thing needed to have 100% control over everyrhing.

I see a "installer" and "install_server". Ugh I think I'm getting nerdsniped and need to turn on my dev pc

@rpgwaiter @elly when they announced that they were going to make devices for police to unlock phones, I laughed because I knew how unreliable their hardware was anyway.

@elly not sure what is worse, getting your stuff confiscated, or getting your friends's stuff confiscated. 💀
How do you convince the other person (and yourself) that you haven't done anything wrong to prompt this.

@elly @foone hid_akeys? I don't see that module in the upstream Linux tree. Is it some downstream thing?

@rpgwaiter @elly they are doing some custom stuff but, especially on android, why make your life harder and write bespoke chains when you can just get root and run frida. Especially because cellebrite’s product operates under the assumption that you have physical access to the device and pretty much unlimited time, as feds do

@endrift @foone my bad, shouldn’t have posted at 5AM

CONFIG_HID_AKSYS_QRD in sm8350 kernel tree (it’s a gamepad driver). Example here (likely where the vulnerability is, it’s usually quirks): https://github.com/LineageOS/android_kernel_asus_sm8350/blob/lineage-23.0/drivers/hid/hid-aksys.c#L167-L197

@elly 👀 @tek @drwhax

@elly @foone ...how?? I clearly have a lot to learn about kernel driver vulnerabilities

@elly

cc @GrapheneOS
You may be interested

@LunaDragofelis @elly

Even in 2025, people don't own governments, governments own YOU. This used to only be true in Mother Russia, but things have changed. 🫤

@elly @foone this driver is making my head hurt. It does not look well written. But I don't see any immediately obvious bugs, apart from potential null pointer issues

@elly
CC @JohnHammond

It may be interesting for you.

@elly now im wondering if the drives got wrecked before or after they were gonna pull data. if its before then wow your pigs are incompetent

@CauseOfBSOD @elly i had an IDE drive come back from the police with bent pins, we thought they tried to dump it and put it in backwards or something, luckily it still worked after straightening the pins

@elly A few months ago we found a public share where the DOJ in Montana had stored phone dumps done by Graykey (sth. like Cellebrite).

https://blog.literarily-starved.com/2025/06/postmortem-assumed-doj-montana-leak-of-phone-dumps/

@Rairii @elly like i got taught the basics of digital forensics by some folks from gchq a while back and one of them is "dont let absolute morons at the device, and dont go at it yourself unless you know what you are doing, otherwise get someone qualified in to handle it"

@Rairii @elly thats like a Mandatory Rule

@LunaDragofelis @elly

If law enforcement seized all my electronic devices and provided me with a replacement smartphone I wouldn't touch it with a ten-foot pole :-)

@elly Hello mate

@elly don't forget you're paying them to do this 🫠

ancap propaganda aside, I'm really sorry this happened to you and your friend, I'd be furious

at least you got to play around with the Celebrite leftovers 😎

@elly maybe something for @rysiek ...
After exposing polish train shenanigans, polish police shenanigans might be a fun next step? 😅🙈

@elly Hi Elly! Any chance you could share the Android Tombstones (they usually survive as well). That would show crash logs of the specific modules being exploited?

@wall_e 👀

Seriously though, I think it's more in @drwhax's and @tek's ballpark.

@elly

@endrift @elly @foone the aksys_qrd_ff_init feels sus wrt how it tries to match up input/output reports while also seeming to allow an unbounded number of ff devices to be created, but that's not a bug by itself

is this maybe just a heap manipulation with the real bug elsewhere?

@elly have you already looked into this?
It was a Linux USB driver 0-day, after the unlock NoviSpy (Serbian police spyware) was injected.

https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/

@elly Teating anyone as a terrorist is actually terrorism.

Thanks for this fascinating thread.

@elly

The #policestate of #britain is probably not as bad as many countries, but they do that here also.

Certain “crimes”, or even with some scumbag accusing an innocent of those crimes, can precipitate the heavy handed wrong arm of the law. They have even been known to bash in the door of the wrong house! Compensation? Hardly.

They target celebrities.

Bad #policing is directly related to the #autocratic attitude of the top levels of #ukgovernment.

#starmer must go

@elly yep. Police doesn't work as always.

@elly you should sue them btw. You should absolutely sue them.

@elly inshallah hack them back: fake android device that actually scans the host in some way? Or does Cellebrites USB controller use prevent this?

@elly (of course this will probably NEVER happen but its fun to think about ^_^)

Is this in the "before first unlock" or "after first unlock" state? If it's the former, it'll be quite alarming that even after performing the exploit they were able to somehow decrypt the file system.

@Leszek_Karlik @LunaDragofelis @elly You wouldn't touch it with a 14lb. sledgehammer either?

@VulcanTourist @LunaDragofelis @elly when and where was this *not* the case though

@drwhax will take a look after I wake up, I'm planning to connect this device to a WiFi network that doesn't have WAN access, run netcat and perform full storage dump (block devices + unencrypted data) for future reference just in case

@thezero yes, it was very similar (my friend's device was easier to pwn due to lack of security updates + root) but otherwise it looks very similar

@elly cc @kafazen

@jackemled @LunaDragofelis @elly

Well, since it's a loaner, I wouldn't want to qualify for destruction of government property ;-)

@elly maybe you or one of your friends @ddu ?

@drwhax here you go: https://f.sakamoto.pl/elly/smasnug-tombstones.tar.gz

@elly thank you!

@elly sounds like something @maia would enjoy

@VulcanTourist @LunaDragofelis @elly

>This used to be true only in Russia..

I don't know what particular standard your using, but I'm almost certain I can find examples outside Russia and its predecessors.

Some places just find different methods to fulfill their needs.

@Leszek_Karlik @LunaDragofelis @elly That's a good point. Maybe "lose" it & claim it was stolen.

@elly @drwhax Make sure to save and share the data asap. Surely your friend and you are still on the feds' radar and there's a chance they'll bash in your door to prevent you from leaking more data.

@Natanox @drwhax Of course, I'm aware of it.

I have offsite backups of my personal data, currently dumping the entire storage from friend's phone.
Will create an encrypted archive and upload it to friends machines across the globe to make sure that even if they would detain me or something (don't see why they would do that, I didn't do anything illegal) all files will be safely backed up across 3 different continents.

@elly Stay safe ^^

@fun What are they gonna do, pwn me and leak newer version of the payload?
In all seriousness, thanks!

@elly I got kinda curious and spent a bit of time looking over it. And comparing it to other drivers the code itself seems to be mostly fine. With one exception:

`hidinput_connect` in `hid-input.c` calls the handler `input_configured` on the driver for every input "attached" to the device. And the implementation of this handler in the aksys driver also iterates over *every* input to create all the objects necessary for handling the FF for that input. Which means every input gets setup multiple times (as many inputs as there are times, and the usb controller decides the input count).

And as far as I can tell all the object creation handlers do not check and try to clean up stuff that has already been there before. Cleanup seems to only happen on device reset/disconnection. This would at the very least explain the memory leaks, tho I'm not sure how exactly this bug is used to actually overwrite stuff in memory and the nature of the bug means that this has a very broad scope of where it could actually be happening.

PS: I'm curious how you obtained the info about `hid_aksys` leaking memory, since there doesn't seem to be anything about that in the data you posted.

@personifieddevil Interesting, thanks!

Unfortunately I can't share those logs, as they're full of my friend's personal data (text messages, notifications and do on). I used the Mobile Verification Toolkit (MVT) from Amnesty International.

STIX2 markers didn't catch it, but manual analysis with MVT dumps wasn't too bad.

@endrift @elly @foone My guess is UAF when the device is removed or similar? I don't see any cleanup code.

@lina @elly @foone could be. I could easily clean up this driver a LOT if I had the controller. But it probably just makes more sense to just remove it from the tree entirely. It's not upstream, anyway. Who imported it?

@elly if anyone can find a vulnerability in hid_steam, PLEASE contact me so I can fix it.

@elly Wow, Cellebrite sure is creepy: https://cellebrite.com/en/about/ Check out that photo of the man and the little girl. I'm going to have nightmares. I'm sorry for you horrible experience. It's enough to make you permanently paranoid. I hope that your friend was officially cleared.

@masek They didn’t even encrypt it? Talk about incompetence and disregard towards security/privacy…

#!/usr/bin/env zsh

CODENAME="$(adb shell getprop ro.product.device)"

cd /mnt/nfs/chungus/Backups/
mkdir "backup-$CODENAME"
adb kill-server; adb root
adb pull /dev/block/by-name/ "backup-$CODENAME/"
tar -cvz "backup-$CODENAME" | age -o "$CODENAME-backup-$(date --iso-8601).tar.gz.age" -r "$AGE_PUBKEY"
rm -rf "backup-$CODENAME"
printf "Backup for $CODENAME completed.\07\n"

@elly

Smasnug 😻

@lina @elly @foone ok I dug around a bit and based on their website I'm gonna say Qualcomm did it. It looks like the controller is standalone but their website talks about Qualcomm and Android a lot. Someone probably stuffed it in the Qualcomm tree without much thought. I wonder if I should see about getting one, putting a proper driver in with the same filename so there's a conflict when Android pulls in a new kernel, and they see mine is just a fixed up version

Even though I am doing a lot of controller driver dev for work I kinda doubt I could get them to sign off on paying me for that though haha.

@elly No. It was totally unprofessional.