Hackers publish Cellebrite iOS hacking tools

UFED Touch Ultimate: a comprehensive solution for mobile forensics
About a month ago, a group of unknown hackers announced the hacking of the Israeli company Cellebrite , which sells the software and hardware complex Universal Forensic Extraction Device (UFED) to law enforcement agencies around the world for hacking and copying data from any mobile phone. Similar tools for forensic expertise are made by the Russian company Elcomsoft . It was Cellebrite who was rumored to have helped the FBI hack an iPhone 9C phone under iOS 9, owned by a San Bernardino terrorist who became a stumbling block in a high-profile conflict between Apple and the FBI .
In January, hackers provided an archive with 900 GB of files received from Cellebrite servers to prove the editorial board of Motherboard . The seized files contain customer lists, databases and a large amount of technical information about Cellebrite products. An initial analysis of customer data from Cellebrite shows that among its customers there were law enforcement agencies from countries such as Russia, the UAE, and Turkey.
The entire 900 GB archive has not yet been published; there is a lot of confidential information. But today, hackers have posted online binaries of Cellebrite commercial programs, which it sells to its customers as part of a hardware-software complex for hacking Apple smartphones.
File links along with a statement by a group of hackers are published on Pastebin .

Files are hosted on Mega hosting. Unfortunately, just a few hours after the publication, the files were deleted from Mega hosting, so far it has not been possible to find the mirror (UPD: but it was possible for the user ValdikSS , mirror ).
But in the first hours after the publication, these security tools and the famous macOS and iOS hacking expert Jonathan Zdziarski managed to get acquainted with these tools . His opinion is very curious to know.
Cellebrite robbing a jailbreak community?
Today’s dump contains exploits for circumventing protection on iOS smartphones, “specially designed routines to decrypt this lamer protection”, a demo .eas file (a DLL for working with specific devices and applications) and .epr files (bootloaders, exploits and shellcode) .
Hackers note that some of the exploits for Apple are very similar to the standard tools available to every young teenage hacker who plays with jailbreaks for the iPhone. These are public jailbreak tools that are actually sold to government bodies in a beautiful “wrapper” for tens and hundreds of thousands of dollars. In this regard, it is recommended to pay special attention to .epr for Blackberry.
Along with the files in the first dump, there are decrypted and fully working Python scripts for using these exploits.
import os
import sys
import random
class CellebritePython(object):
init_tbl =[
0x67, 0x3B, 0x9D, 0xE0, 0x44, 0xB4, 0xBF, 0x06, 0xD0, 0xA3, 0x46, 0xFF, 0x66, 0xA9, 0x5D, 0x13,
0x05, 0x8A, 0xF7, 0xC6, 0x6F, 0xF9, 0x32, 0x16, 0xCC, 0x0D, 0xFC, 0x3D, 0x6F, 0x76, 0x26, 0xF2,
0x00, 0x2E, 0x1B, 0x69, 0x9F, 0x58, 0xE3, 0x6C, 0x43, 0xF0, 0xE3, 0x9E, 0xF4, 0x86, 0x14, 0xDE,
0xF9, 0x29, 0x04, 0xF9, 0xED, 0x3F, 0x60, 0xE6, 0xD1, 0xD5, 0x76, 0xE4, 0x7A, 0xA8, 0x5C, 0xE0,
0xFD, 0x8D, 0xE6, 0x4B, 0xAB, 0x91, 0x8E, 0xF5, 0x6A, 0x97, 0x4C, 0x86, 0x87, 0x43, 0xE2, 0xA7,
0x23, 0xEA, 0xE1, 0xA7, 0x03, 0xB6, 0xE9, 0x34, 0xCD, 0xFD, 0x50, 0x78, 0xCC, 0xE9, 0x8E, 0xEE,
0xC6, 0xC2, 0x6B, 0xA2, 0xD9, 0x05, 0xBC, 0x09, 0xEA, 0x36, 0x82, 0xC2, 0xD8, 0x29, 0x4E, 0x9D,
0xBC, 0x0A, 0x58, 0x86, 0x9F, 0x0D, 0xD7, 0x21, 0xBC, 0x9F, 0x22, 0x34, 0xC9, 0x63, 0xBB, 0x77,
0x66, 0x4A, 0xA2, 0x1F, 0xA0, 0xCE, 0x49, 0x4F, 0x6C, 0xB7, 0xB6, 0xCC, 0x5A, 0x1A, 0x33, 0xFB,
0x3D, 0x13, 0xFB, 0xAB, 0x51, 0xC4, 0xE1, 0x5B, 0x1D, 0x6B, 0x5D, 0x2C, 0x2A, 0x5A, 0xEB, 0x6D,
0x13, 0xA9, 0x7D, 0xD7, 0x2F, 0xBE, 0x12, 0xE3, 0x09, 0x5E, 0xD4, 0x3F, 0xEB, 0xC5, 0xA0, 0x1D,
0x45, 0xF1, 0xE2, 0x72, 0x4A, 0x9D, 0xF7, 0xA0, 0x4F, 0xC5, 0x99, 0x91, 0x30, 0x6F, 0x26, 0x99,
0xAC, 0x74, 0xE3, 0x8D, 0x1C, 0xAD, 0x0A, 0xF3, 0xEA, 0xA1, 0xD7, 0x35, 0xFF, 0x02, 0x8A, 0xB8,
0x8E, 0xA0, 0xE9, 0xAC, 0x77, 0x47, 0x53, 0xFC, 0xB5, 0x8E, 0x81, 0xEF, 0xF5, 0xCA, 0xAF, 0x26,
0x58, 0xF7, 0xB8, 0x68, 0x91, 0xDE, 0xC6, 0x6E, 0x3A, 0x99, 0x48, 0x93, 0xCD, 0x8E, 0xD8, 0xB0,
0xA1, 0x64, 0xFA, 0xE5, 0x58, 0xDF, 0x35, 0x18,
]
def __init__(self):
self.buff=bytearray(0x100)
self.curr_offset=0
self.sumvar=0
def randomBytes(self,n):
return bytearray(random.getrandbits(8) for i in range(n))
def init_table(self):
for t in range(0xf8):
self.file_data[t]^=self.init_tbl[t]
for t in range(0x100):
self.buff[t]=t
sumvar=0
for t in range(0x100):
val=self.file_data[t%0xf8]
val+=self.buff[t]
sumvar+=val
sumvar&=0xff
self.buff[t],self.buff[sumvar]=self.buff[sumvar],self.buff[t]
def get_char(self):
char=self.file_data[0xf8+self.curr_offset]
self.curr_offset+=1
char2=self.buff[self.curr_offset&0xff]
self.sumvar=(self.sumvar+char2)&0xff
self.buff[self.curr_offset&0xff],self.buff[self.sumvar]=self.buff[self.sumvar],self.buff[self.curr_offset&0xff]
char2=(self.buff[self.curr_offset&0xff]+self.buff[self.sumvar])&0xff
return char ^ self.buff[char2]
def decrypt(self,filename):
buffer=bytearray()
with open(filename,"rb") as file:
self.file_data=bytearray(file.read()[4:])
self.init_table()
for t in range(len(self.file_data)-0xf8):
buffer.append(self.get_char())
return buffer
def encrypt(self,filename):
buffer=bytearray()
self.file_data=bytearray()
crypto_header=self.randomBytes(0xf8)
self.file_data+=crypto_header
with open(filename,"rb") as file:
self.file_data+=bytearray(file.read())+b'\xff\xff'
self.init_table()
for t in range(len(self.file_data)-0xf8):
buffer.append(self.get_char())
return b"CELL"+crypto_header+buffer
filename="site.py"
enc = CellebritePython()
with open(filename+".dec","wb") as file:
file.write(enc.decrypt(filename))Jonathan Zdzyarski says the published Cellebrite binaries are really very similar to the jailbreak tools that are being distributed as part of the QuickPWN project . They were only adapted for forensic examination. For example, one of the software modules in the dump is intended for brute force of PIN codes, which is not part of the normal jailbreak program.
If Cellebrite used these programs in its UFED hardware and software systems and other products, this means that they "robbed" the jailbreak community and used untested and experimental software as part of their commercial products, Zdzyarski said.
Cellebrite spokesman officially announcedthat the submitted files are part of the Cellebrite software package and are available to customers, while they are distributed without source codes. He added that Cellebrite’s specialists constantly monitor the latest developments of the hacker community, new hacking methods, research tools, including jailbreaks.
Second dump
In the near future, hackers promise to post a second dump of files. It should have “a small selection of files received through the Cellebrite update server, which is installed on devices and desktop computers running MS Windows (with SYSTEM privileges) inside the client’s infrastructure”.
In the second dump, a report should be published with an analysis of the "compression and obfuscation techniques" used in Cellebrite products ordered by the UK Department of Defense, as well as versions of programs with unprotected supplied by the General Department of Special Forces of the United States Department of Defense (SI) SpN US MoD or SOCOM) and other organizations.
Stay tuned for pastebin releases.
A month ago it was reported that among the received data from the Cellebrite server there was a web server cache with the names and passwords of users who logged in to the MyCellebrite portal. This section of the site is intended for company customers only. After publishing the articles in Motherboard, Cellebrite officially recognized the hacking of an “external web server” with a backup database of MyCellebrite accounts. An investigation was scheduled in this regard. The company assured customers that there was nothing particularly confidential about the data leak, only the password hashes of users who had not migrated to the new user account accounting system yet. But an independent review by Motherboard revealed that there is much more to that 900 GB dump than Cellebrite admits.