Execution Checklist: Achieving 95% Confidence

# Install Frida
pip3 install frida-tools --break-system-packages

# Install network analysis tools
brew install wireshark mitmproxy tcpdump  # macOS
# apt install wireshark mitmproxy tcpdump  # Linux

# Install Python dependencies
pip3 install pyshark scapy lief --break-system-packages

# SSH into device
ssh mobile@$IPHONE_IP  # password: [REDACTED]

# Install Frida (may need root for apt)
sudo apt update
sudo apt install re.frida.server

# Install tcpdump
sudo apt install tcpdump

# Set your iPhone IP
export IPHONE_IP=<your-iphone-ip>
# SSH credentials: [REDACTED]

# On analysis host
frida-ps -U | grep -i facebook

# Expected output:
# 12345  Facebook

# On iPhone
ssh mobile@$IPHONE_IP << 'EOF'
mkdir -p /tmp/captured_audio_buffers
mkdir -p /tmp/ssl_keys
mkdir -p /tmp/network_capture
EOF

# Copy Frida scripts
scp bypass/*.js mobile@$IPHONE_IP:/tmp/

# Kill existing Facebook process
frida-kill -U com.facebook.Facebook

# Launch with stealth hooks
frida -U -f com.facebook.Facebook \
    -l /tmp/frida-stealth.js \
    --no-pause

[STEALTH] Hiding 2 libraries from dyld enumeration
[STEALTH] Patched _FBIsDebuggerAttached to return NO
[STEALTH] sysctl P_TRACED bypass active
[STEALTH] dladdr bypass active
[STEALTH] All bypasses active

# In Frida console, check feed behavior
# Scroll through feed - should NOT freeze
# If feed freezes, stealth is NOT working

# In new terminal, attach with SSL extraction
frida -U com.facebook.Facebook \
    -l /tmp/frida-stealth.js \
    -l /tmp/extract-ssl-keys.js

[SSL] Found FBSSLKeyMaterialLogger class
[SSL] Hooked logKeyMaterial:
[SSL] Hooked SecTrustEvaluateWithError

# On iPhone (separate SSH session)
ssh mobile@$IPHONE_IP "tcpdump -i any -w /tmp/network_capture/fb_traffic.pcap port 443" &

# Use the app normally for 5-10 minutes
# - Scroll feed
# - Open some posts
# - View some images

# Stop tcpdump
ssh mobile@$IPHONE_IP "killall tcpdump"

# Copy files to analysis host
scp mobile@$IPHONE_IP:/tmp/facebook_ssl_keys.log .
scp mobile@$IPHONE_IP:/tmp/network_capture/fb_traffic.pcap .

# Open Wireshark
wireshark -o "tls.keylog_file:facebook_ssl_keys.log" fb_traffic.pcap

frida -U com.facebook.Facebook \
    -l /tmp/frida-stealth.js \
    -l /tmp/extract-audio-key.js

[AUDIO] Found: -[SomeClass audioEncryptionKey] @ 0x...
[BUFFER] Hooked CMSampleBufferGetAudioBufferListWithRetainedBlockBuffer

# Scroll through feed continuously for 2-3 minutes
# This triggers the audio capture pipeline

[BUFFER] Got AudioBufferList with 1 buffers
[BUFFER] Buffer 0: 1 ch, 4096 bytes
[KEY] KEY (32 bytes): a1b2c3d4...

scp mobile@$IPHONE_IP:/tmp/audio_encryption_key.bin .
scp -r mobile@$IPHONE_IP:/tmp/captured_audio_buffers/ .

# Verify key
xxd audio_encryption_key.bin

# Use the extracted key to decode previously captured images
python3 decode_with_key.py \
    --key audio_encryption_key.bin \
    --input ~/fbexposed/results/extracted_audio/ \
    --output ~/fbexposed/results/decoded_audio/

# Try different audio formats
for file in decoded_audio/*.raw; do
    # Try mu-law at 8kHz
    ffmpeg -f mulaw -ar 8000 -i "$file" "${file%.raw}_mulaw.wav"
    
    # Try PCM at 8kHz
    ffmpeg -f s16le -ar 8000 -i "$file" "${file%.raw}_pcm.wav"
    
    # Try PCM at 44.1kHz
    ffmpeg -f s16le -ar 44100 -i "$file" "${file%.raw}_pcm44.wav"
done

# Play decoded audio
afplay decoded_audio/sample_mulaw.wav

# If you can hear:
# - Clear speech → PROVEN (H3 = 95%)
# - Voice-like sounds → STRONG (H3 = 85%)
# - Just noise → Need different decoding

# In Wireshark, apply filter:
http.request.uri contains "graph.facebook.com"

# Filter for POST requests with image content
http.request.method == "POST" && http.content_type contains "image"

# Or filter for GraphQL mutations
http.request.uri contains "graphql" && frame contains "CreateInspiration"

# Export HTTP objects from Wireshark
# File > Export Objects > HTTP

# Analyze for audio signatures
python3 analyze_upload.py --input exported_objects/

# Compare:
# 1. Time of audio buffer capture in Frida logs
# 2. Time of image upload in packet capture
# 3. Content of uploaded image LSBs

# If they match → PROVEN (H4 = 95%)

mkdir -p evidence_package/
cp facebook_ssl_keys.log evidence_package/
cp fb_traffic.pcap evidence_package/
cp audio_encryption_key.bin evidence_package/
cp -r decoded_audio/ evidence_package/
cp -r captured_audio_buffers/ evidence_package/

# Create checksums
shasum -a 256 evidence_package/* > evidence_package/checksums.txt

# Evidence Chain of Custody

## Device Information
- Device: iPhone [model]
- iOS Version: [version]
- Facebook Version: 345.0
- Jailbreak: [method]

## Capture Timeline
| Time | Event | File |
|------|-------|------|
| [T1] | Frida attached | - |
| [T2] | First audio buffer captured | buffer_1.raw |
| [T3] | Encryption key extracted | audio_encryption_key.bin |
| [T4] | Network capture started | fb_traffic.pcap |
| [T5] | Image upload observed | packet #[N] |

## Verification Steps
1. Key applied to LSB data
2. Audio decoded as [format]
3. Intelligible speech confirmed
4. Upload packet identified

## Final Confidence Scores

### H3: Audio Steganography
- Infrastructure exists: +35%
- Encryption key extracted: +20%
- Intelligible audio decoded: +25%
- Correlation with uploads: +15%
- **Total: 95%** ✓

### H4: Network Exfiltration  
- Upload path traced: +30%
- SSL keys captured: +15%
- Decrypted traffic analyzed: +20%
- Audio payload identified: +20%
- Timestamp correlation: +10%
- **Total: 95%** ✓

# Stealth not working - try:
1. Use older Frida version (frida==15.x)
2. Check dyld hiding is active
3. Verify _FBIsDebuggerAttached patched

# FBSSLKeyMaterialLogger not called - try:
1. Hook BoringSSL directly
2. Use SSL_CTX_set_keylog_callback
3. Patch binary to enable key logging

# audioEncryptionKey not triggered - try:
1. Scroll feed more aggressively
2. Open video posts
3. Hook CCCrypt for key derivation

# Wrong decoding - try:
1. Different XOR patterns
2. Different byte ordering
3. Skip header bytes
4. Try other audio codecs (ADPCM, GSM, Opus)