Month: March 2016

Snippets on Cellebrite’s Samsung Solution and Blackberry Solution, OCR’d from legal complaint against competitor

The complaint (.pdf) filed by Cellebrite’s attorneys against a competitor for infringement on copyright and trade secrets contains some information about Cellebrite’s Samsung Solution and Blackberry Solution — here a some OCR’d snippets (perhaps this is already widely known; it’s new to me):


1.  The Cellebrite Samsung Solution
  a.  Development of the Cellebrite Samsung Solution

86. in March 2011, Cellebrite released a breakthrough Samsung solution in its UFED version 2.0, which was the world’s first forensic solution for physical extraction of Samsung mobile phones (the “Cellebrite Samsung Solution”).

87. The physical extraction function enables the extraction of deleted data from the phone in addition to undeleted data. In addition to the ability to extract deleted data, the Cellebrite Samsung Solution can be used while the phone is already powered up and it is not required for the phone to first be powered down, like all previous solutions. This function is very sophisticated, was the first of its kind, and is still unique today.

88. The Cellebrite Samsung Solution took thousands of hours to develop by a team of highly trained, experienced Cellebrite software engineers.

89. Cellebrite’s Samsung Solution contains no less than six (6) key proprietary innovations, including:

1.  Identification of a unique vulnerability in the random access memory (“RAM“) of  Samsung phones allowing Cellebrite to inject and run its software directly on the phones;

2.  Identification of specific landing site locations — referred to as “Loading Addresses” — on the Samsung phone RAM where Cellebrite could inject and run its own software for each of the models of Samsung phones;

3.  Development of proprietary Cellebrite Samsung bootloader software (the “Cellebrite Samsung Bootloader“) that runs on the Samsung mobile device’s RAM to gather personal data and extract such data for download to Cellebrite’s UFED Units.

4.  A magic command “OxB7 that facilitates communication between Cellebrite’s Samsung Bootloader and the Samsung phone’s RAM (the “Magic Command“).

5.  Identification and sequencing of USB communication software code signatures for the Samsung mobile device models that are supported by Cellebrite’s Samsung Bootloader (the “USB Communications Signatures“).

6.  Development of a proprietary algorithm that allows for innovative searching and identification of the Samsung model on which the UFED is running in order to select the correct USB Communications Signatures in Cellebrite’s Samsung Bootloader (the “Model Signature Search Algorithm“).


2.  The Cellebrite BlackBerry Solution
  a. Development of the Cellebrite BlackBerry Solution

92. In January 2012, Cellebrite released a BlackBerry extraction solution in its UFED version (the “Cellebrite BlackBerry Solution“).

93. This cutting edge solution — a world first — was based upon an exclusive discovery of a vulnerability in the BlackBerry mobile device’s validation process of the manufacturer’s digitally signed software code delivered by BlackBerry desktop software to the BlackBerry mobile device.

94. The exploitation of this vulnerability was a complex process and involved substantial research.

95. The development of an advanced methodology by Cellebrite to access the BlackBerry mobile device through such vulnerability, upload Cellebrite’s proprietary boot loader software, and then extract the data from the BlackBerry mobile device, among other related innovations, was extensive and took thousands of hours to develop by a team of highly trained experienced Cellebrite software engineers.

96. Cellebrite’s BlackBerry Solution contains no less than ten (10) key proprietary innovations:

1.  Identification and extraction of a BlackBerry digitally signed bootloader software program buried in BlackBerry desktop software (The “BlackBerry Signed Bootloader“), using the April 2011 version of BlackBerry’s desktop software;

2.  Development of a boot loader software program that could run on the BlackBerry phone RAM (the “Cellebrite Unsigned Bootloader“) that would piggyback on the BlackBerry Signed Bootloader, thus tricking the extremely sophisticated BlackBerry security protocols to allow the Cellebrite Unsigned Bootloader to run on the BlackBerry phone;

3. Development of a physical extraction payload that would locale, gather and allow for the extraction of data on the RAM for download to the UFED Unit (the “Physical Extraction Payload“).

4.  Transmission of the Cellebrite Unsigned Bootloader with the BlackBerry Signed Bootloader and the Physical Extraction Payload over the BlackBerry communications protocol using randomly selected distances between each of these three programs on the BlackBerry communications protocol.

5.  Landing the Cellebrite Unsigned Bootloader on the RAM of the BlackBerry mobile device in a Loading Address where the BlackBerry Signed Bootloader usually resides and relocating the BlackBerry Signed Bootloader to a usually unused Loading Address.

6.  Creating a “jumper” function on a specific location of the Cellebrite Unsigned Bootloader, which activates the proprietary stack changer function developed by Cellebrite as part of the Cellebrite BlackBerry Solution (the “Stack Changer“), for integrating actions between the Cellebrite Unsigned Bootloader and the BlackBerry Signed Bootloader.

7.  Using BlackBerry command number 8 to act as the launching location for the Physical Extraction Payload.

8.  Developing proprietary USB pointer and cache functions on the Cellebrite Physical Extraction Payload.

9.  Developing a proprietary OneNAND initialization function (the “OneNAND Initialization“); and

10. Writing a unique ownership string code (the “Ownership String“) on the Cellebrite Unsigned Bootloader.



“Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping”

UPDATE 2017-02-24: Apple deleted server supplier after finding infected firmware in Siri servers

According to a report at The Information, Apple relies on others vendors for its iCloud infrastructure. The report references Amazon (AWS), Microsoft (Azure), Google (Google cloud), AT&T and Verizon. The report suggests that Apple, too, has long-time worries about supply chain security:

[…] Apple is also working on projects to design its own servers. At least part of the driver for this is to ensure that the servers are secure. Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.

“You can’t go take an X-Ray of every computer that hits the floor. You want to make sure there’s no extracurricular activity,” a person familiar with the server project said.

The report does not state whether any specific examples of ‘unknown third parties’ are kept in mind, nor whether the suspicion is based on specific evidence. So, it may just be a precautionary deliberation — as would (obviously) be good practice for any organization handling information attractive to domestic and/or foreign spies.

The story by The Information is covered at Business Insider and subsequently posted to Slashdot. (The reason for this blogpost is that neither included the entire text quoted above, which seems quite relevant to me.)