Android Kernel Debugging (kmsg log)

[Rhythmlyss]

Hello,





So I've been subject to some rather advanced hacking. Long story short, through means of brute force TTY and shell/root manipulation, the hackers have used ADB (android debugging bridge) and trace/printk to debug my kernel and place kernel hooks. (They've done the same to my computer, which is a Linux Mint Distro. Advice on it would be great, too.)





Holding the "Home," "Power," and "Volume Up" hard-keys brings up a menu that allows me to look at system recovery logs. Therein I can access the "kmsg" (kernel message log), and get a printout of it's processes. There is a list of Kernel commands (I assume that are being administered via remote shell via tty) and a few lines that read, "NOTICE NOTICE NOTICE ... This is a debugged kernel. If you are not debugging the kernel please contact your vendor."





So, I did just that. I went to MetroPCS, who in turn referred me to their support line, who in turn referred me to Samsung support, who left me with two options: Send in my phone, or visit one of their licensed repair vendors. I chose the latter. UBREAKIFIX informed me that the complexity was beyond their abilities (even though Samsung support had told me they would be able to give me a diagnostic and printout of everything that occurred in my phone, as well as reset the kernel), and said I'd need to ship my phone in to Samsung.





So, I've decided to make a pit stop by these forums in hope to garner any more information in regards to the matter. I'm hoping to avoid sending my phone in, whilst simultaneous getting some verifiable proof of the occurrence and make Samsung aware of the software manipulation.





So my question is just that, are there any official outlets (without shipping in my phone) that I can get to recognize and help me fix (and prevent future instances) this infiltration of my privacy. Sensitive personal information as already been exfiltrated and used against me, and the hacking is across all my devices. So I want verification so I can file a police report if possible.





And while I'm here, same for my computer. It's a bit different, as I can access all the kernel, directories, bootloaders myself. Whereas my phone I cannot bypass manufacturers/vendors barriers. Still though.





Any guidance is appreciated. Thanks in advanced.

(I tried posting this on Samsung Community forums but it kept getting marked as "spam"). Lol

 

[wizardfromoz]

So, I've decided to make a pit stop by these forums in hope to garner any more information in regards to the matter.

G'day @Rhythmlyss .

Android, although it was originally based on a form of Linux, has been since re-engineered and proprietary protocols added by Google, that it is barely recognisable as Linux for a long time now.

Unless someone here steps forward having knowledge with regard to this matter, I don't see your chances here as being very good at getting a solution.

There is an Australian-based website with a worldwide membership, Whirlpool, that may have a mobile/cell phone subforum, you could try your luck there.

https://whirlpool.net.au/

Other than that, regrets and good luck.

Chris Turner
wizardfromoz

 

[130RNE]

Something's up, this is unusual. 2 different OSes? Both which disallow remote root operations unless specifically enabled. I think. I know it's true for Android.

So what happened? Hypothetical- If root was used, they don't have access to the system partition unless the bootloader was unlocked. You can't flash a kernel without root. Actually with the newer AVB versions I don't think you can access the filesystem anyway. I've had problems even changing a hosts file. Root over adb must be specifically enabled. I've been unable to directly edit any part of the filesystem on any version of Android 11 except for specific custom ROMs. Magisk uses an overlay system, the original system/boot partitions are untouched. Dev options can be unlocked but a dev kernel cannot be flashed unless the filesystem is accessible and the phone is rebooted. If you haven't rebooted your phone, then it's not the kernel. Software kernel flashing options are available so it's technically possible. If you were using a custom rom with a dev kernel, why? Don't do that, use a release kernel. I think it's the dev kernel that allows filesystem access, the stock release kernel wouldn't let me modify system stuff no matter what I did, not even with root. Everything can be done with Magisk overlays. In recovery you can load and modify whatever but it might still fail AVB. And the phone would need to be rebooted into recovery to allow access. Android is pretty well locked down these days.

From the network side it's more complicated. They would need a remote exploit and would need to gain access to adb. What I mean is they would need to enable ADB remote root from inside, otherwise it doesn't run a root shell over the network. Assuming they did this through TTY and enabled ADB and spawned a root shell, why? Why enable ADB at all if you have remote access? It's unnecessary. Just sounds.. unlikely. Especially considering Linux was hacked in the same manner, this is just odd. Hacks do exist for locked bootloaders, hacks exist for ADB. These are local, they require a usb cable. The PIN can be brute forced. What makes the most sense to me is local access. If the phone is physically in someone else's hand, there's no telling what they can do.

Regardless, none of this is firmware. There are preloaders on phones that happen before the normally recognized filesystem/kernel bootloader. This happens before end users are given access to the bootloader screen. Some phones like my Pixel have a special emergency mode that allows very low level access. These preloaders aren't even normally accessible. It's possible to reflash them, none of this stuff is permanent. Reflashing factory software though should be all that's required. So what do you mean, you can't pass vendor locks? Even if they somehow locked you out of the bootloader, you can find the matching factory firmware and reflash. A locked bootloader will still allow you to flash the matching OS version as long as the checksums match. Just overwrite all the software, from kernel up. Put it back stock. If they did some funky stuff to the bootloader and locked you out of the verified OS, Idk what to tell you.

Personal info? So was this money or like personal pictures posted on social media? If it's personal it's likely from inside your network. I'll just about guarantee only one device was hacked and then they hopped across your LAN. It's much easier than coming from the outside. I find it unlikely that they hacked two OSes from the outside. Check router logs, might show something interesting, especially if they're still pinging it from the outside to see if the connection is alive. If they're sending remote comands through one port, you might be able to stop it just by closing that port in your router. Test it and see.

That's the best I've got.

 

[Brickwizard]

Welcome, @130RNE to the linux.org forums
please pop into the members introductions and Tell us a little about yourself and experience

Bwiz

 

[BoringZombie]

Hello,





So I've been subject to some rather advanced hacking. Long story short, through means of brute force TTY and shell/root manipulation, the hackers have used ADB (android debugging bridge) and trace/printk to debug my kernel and place kernel hooks. (They've done the same to my computer, which is a Linux Mint Distro. Advice on it would be great, too.)





Holding the "Home," "Power," and "Volume Up" hard-keys brings up a menu that allows me to look at system recovery logs. Therein I can access the "kmsg" (kernel message log), and get a printout of it's processes. There is a list of Kernel commands (I assume that are being administered via remote shell via tty) and a few lines that read, "NOTICE NOTICE NOTICE ... This is a debugged kernel. If you are not debugging the kernel please contact your vendor."





So, I did just that. I went to MetroPCS, who in turn referred me to their support line, who in turn referred me to Samsung support, who left me with two options: Send in my phone, or visit one of their licensed repair vendors. I chose the latter. UBREAKIFIX informed me that the complexity was beyond their abilities (even though Samsung support had told me they would be able to give me a diagnostic and printout of everything that occurred in my phone, as well as reset the kernel), and said I'd need to ship my phone in to Samsung.





So, I've decided to make a pit stop by these forums in hope to garner any more information in regards to the matter. I'm hoping to avoid sending my phone in, whilst simultaneous getting some verifiable proof of the occurrence and make Samsung aware of the software manipulation.





So my question is just that, are there any official outlets (without shipping in my phone) that I can get to recognize and help me fix (and prevent future instances) this infiltration of my privacy. Sensitive personal information as already been exfiltrated and used against me, and the hacking is across all my devices. So I want verification so I can file a police report if possible.





And while I'm here, same for my computer. It's a bit different, as I can access all the kernel, directories, bootloaders myself. Whereas my phone I cannot bypass manufacturers/vendors barriers. Still though.





Any guidance is appreciated. Thanks in advanced.

(I tried posting this on Samsung Community forums but it kept getting marked as "spam"). Lol

A lot of certified repair partners of big companies are lazy it's best to send it to the manufacturer if you can't solve it yourself. If they also don't want to help send it back anyway telling them your original complaint has been resolved but you need a replacement due to overheating or dead pixels, works for me.

 

[RandomNumbers]

Hello,





So I've been subject to some rather advanced hacking. Long story short, through means of brute force TTY and shell/root manipulation, the hackers have used ADB (android debugging bridge) and trace/printk to debug my kernel and place kernel hooks. (They've done the same to my computer, which is a Linux Mint Distro. Advice on it would be great, too.)





Holding the "Home," "Power," and "Volume Up" hard-keys brings up a menu that allows me to look at system recovery logs. Therein I can access the "kmsg" (kernel message log), and get a printout of it's processes. There is a list of Kernel commands (I assume that are being administered via remote shell via tty) and a few lines that read, "NOTICE NOTICE NOTICE ... This is a debugged kernel. If you are not debugging the kernel please contact your vendor."





So, I did just that. I went to MetroPCS, who in turn referred me to their support line, who in turn referred me to Samsung support, who left me with two options: Send in my phone, or visit one of their licensed repair vendors. I chose the latter. UBREAKIFIX informed me that the complexity was beyond their abilities (even though Samsung support had told me they would be able to give me a diagnostic and printout of everything that occurred in my phone, as well as reset the kernel), and said I'd need to ship my phone in to Samsung.





So, I've decided to make a pit stop by these forums in hope to garner any more information in regards to the matter. I'm hoping to avoid sending my phone in, whilst simultaneous getting some verifiable proof of the occurrence and make Samsung aware of the software manipulation.





So my question is just that, are there any official outlets (without shipping in my phone) that I can get to recognize and help me fix (and prevent future instances) this infiltration of my privacy. Sensitive personal information as already been exfiltrated and used against me, and the hacking is across all my devices. So I want verification so I can file a police report if possible.





And while I'm here, same for my computer. It's a bit different, as I can access all the kernel, directories, bootloaders myself. Whereas my phone I cannot bypass manufacturers/vendors barriers. Still though.





Any guidance is appreciated. Thanks in advanced.

(I tried posting this on Samsung Community forums but it kept getting marked as "spam"). Lol

Hey, @Rhythmlyss , @130RNE , @wizardfromoz

I've been hacked in the exactly same way, but it been going on for years and over every phone I've had, ever heard of madera ? I saw this on the kmsg log or it was recoveryparty log or something I'd not seen that name before, trying to create what I thought was virtual devices but failed when it tried on a null device. I can't screenshot in the recovery menu and just wanted my phone working again. My wifi stopped working and the phone went boot looping, normal reflash didn't work.

I've nand erased and repartition the Samsung phone but in my experience, they will get back on again and I'll see that debugging warning in the recovery logs.

I was hoping to find a way to see if those logs survived the repartition and reflash, my phone was not rooted, but they can still get in, I'm suspecting via the power adaptor for charging, or maybe an infected device at home, plenty of smart devices here, I need to factory reset them 3 times each to undo whatever was done and get back to normal.

I've found many many things which point to high level hacking, and companies like Ccsi, Genesys cloud. I'd never heard of these until I was going line by line through what logs I had, most of which seems to stop logging during the periods in question.
Even down to my location history with Google being deleted. But the record of having stopped at a location still existed just not what the location was.

I could go on with many things, but I've got no idea why I'm worthy of being monitored this way.
I thought at first it was previous employer being nasty but his way too stupid for that.

Get back to me if you can.