runtime-chains-summary

Runtime Chains Summary

This document summarizes all runtime instrumentation evidence correlated across agent analyses.

Technical Diagrams

Call Count Summary Line 14

| Method | Call Count | Context | Agent Source |
|--------|------------|---------|--------------|
| `startAudioCaptureWithEchoCancellationEnabled:` | **50,700+** | Passive feed browsing | H5, SA-002 |
| `enableEditingMicrophoneVolume:volumeMultiplier:` | 50,700+ | Mic volume manipulation | H5, SY-001 |
| `isAudioCaptureRunning` | **874,700+** | Polling loop (persistent check) | H5, SA-002 |
| `createAudioPipelineIfNecessaryAndResume` | 600+ | Pipeline creation | H5 |
| `rtcClientDeactivated` | 9,900+ | In 35 seconds | Addendum-Ring-Buffer |
| Background wakeups | 3,751/sec | **25x over iOS limit (150/sec)** | SY-001 |

Crash Log Analysis Line 27

| Metric | Value | Source |
|--------|-------|--------|
| Crash samples analyzed | 16 | CrashReporter |
| AVAudioSession thread present | 14/16 (**87.5%**) | SY-001 |
| Audio activity during normal browsing | Confirmed | Crash thread analysis |

Audio Session State Line 38

| State | Value | Duration | Significance |
|-------|-------|----------|--------------|
| `allowCallKitActiveAdjust` | `false` | 39+ minutes | Bypass without legitimate call |
| `isCallKitActive` | `null` | Throughout | No VoIP call active |
| Category declared | `Ambient` | Continuous | Hides mic access |
| Category actual | `PlayAndRecord` via FBARK | Continuous | Actual mic enabled |

Feed Audio Client Line 46

| Event | Description |
|-------|-------------|
| `newsFeedWasPresented` | Audio client activated when feed visible |
| `_applicationDidBecomeActive` | Audio client reactivated on foreground |
| `_activateFeedAudioClient:` | Internal method to activate feed audio |

TCC (Privacy Permission) Status Line 56

| Permission | Value | Meaning |
|------------|-------|---------|
| Microphone | `auth=2` | ALLOWED |
| Camera | `auth=2` | ALLOWED |
| Contacts | `auth=2` | ALLOWED |
| Photos | `auth=3` | LIMITED |

Chain 1: Audio Capture Correlation Line 94

| Runtime Evidence | Binary Evidence | Correlation |
|------------------|-----------------|-------------|
| 50,700+ capture calls | `FBCCAudioCapturer` class | Method exists, called |
| Echo cancellation enabled | `startAudioCaptureWithEchoCancellationEnabled:` | Method signature matches |
| Mic volume adjustment | `enableEditingMicrophoneVolume:volumeMultiplier:` | 50,700 calls |

Chain 2: Category Spoofing Correlation Line 101

| Runtime Evidence | Binary Evidence | Correlation |
|------------------|-----------------|-------------|
| Ambient category declared | `AVAudioSessionCategoryAmbient` at 0x0136c0d0 | String present |
| Mic actually active | `MicrophoneBuiltIn` in port description | Device reports mic |
| FBARK controller | `FBARKAudioSessionController` | Separate mic access path |

Chain 3: Remote Control Correlation Line 108

| Runtime Evidence | Binary Evidence | Correlation |
|------------------|-----------------|-------------|
| Config values changing | `FBMobileConfigContextManager` | Manager class exists |
| Audio toggled programmatically | `SoundToggleSettingOnProgrammatically` | Enum value at 0x31891422 |
| MQTT messages | 100+ MQTT references | Infrastructure present |

Chain 4: Indicator Suppression Correlation Line 115

| Runtime Evidence | Binary Evidence | Correlation |
|------------------|-----------------|-------------|
| No orange dot during capture | `should_hide_microtray` flag | Server-controlled |
| CallKit bypass active | `allowCallKitActiveAdjust: false` | 39+ minute duration |
| No legitimate call | `isCallKitActive: null` | Bypass without purpose |

Runtime Evidence Grades by Hypothesis Line 141

| Hypothesis | Runtime Evidence Grade | Notes |
|------------|----------------------|-------|
| H1: Microphone Capture | **A** | 50,700+ capture calls, 87.5% crash thread presence |
| H2: Indicator Suppression | **A** | 39+ minute bypass, no legitimate call |
| H3: Steganography | **B** | Indirect - requires extraction verification |
| H4: Network Exfiltration | **B** | Binary paths traced, need packet capture |
| H5: Remote Control | **A** | Flag changes correlated with capture behavior |

Data Flow Summary Line 154

┌─────────────────────────────────────────────────────────────────┐
│                     RUNTIME OBSERVED FLOW                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  [Feed Scroll] ──> [Shimmer UI] ──> [Audio Client Activated]    │
│                                              │                   │
│                                              v                   │
│                    [startAudioCaptureWithEchoCancellation]       │
│                                   (50,700+ calls)                │
│                                              │                   │
│                                              v                   │
│                    [isAudioCaptureRunning polling]               │
│                                   (874,700+ calls)               │
│                                              │                   │
│                                              v                   │
│                    [Background wakeups: 3,751/sec]               │
│                                   (25x iOS limit)                │
│                                              │                   │
│                                              v                   │
│                    [Audio Buffer Processing]                     │
│                         Triple-buffer ring                       │
│                                              │                   │
│                                              v                   │
│                    [Network Upload Pipeline]                     │
│                         (Traced in binary)                       │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Code Evidence

Plain Text

[App Launch]
       |
       v
[newsFeedWasPresented] ──> FBFeedAudioSessionClient activated
       |
       v
[createAudioPipelineIfNecessaryAndResume] ──> 600+ calls
       |
       v
[startAudioCaptureWithEchoCancellationEnabled:] ──> 50,700+ calls
       |
       v
[isAudioCaptureRunning] polling ──> 874,700+ calls
       |
       v
[rtcClientDeactivated] cycling ──> 9,900+ events in 35 sec
       |
       v
[Background wakeups] ──> 3,751/sec (25x iOS limit)

Plain Text

┌─────────────────────────────────────────────────────────────────┐
│                     RUNTIME OBSERVED FLOW                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  [Feed Scroll] ──> [Shimmer UI] ──> [Audio Client Activated]    │
│                                              │                   │
│                                              v                   │
│                    [startAudioCaptureWithEchoCancellation]       │
│                                   (50,700+ calls)                │
│                                              │                   │
│                                              v                   │
│                    [isAudioCaptureRunning polling]               │
│                                   (874,700+ calls)               │
│                                              │                   │
│                                              v                   │
│                    [Background wakeups: 3,751/sec]               │
│                                   (25x iOS limit)                │
│                                              │                   │
│                                              v                   │
│                    [Audio Buffer Processing]                     │
│                         Triple-buffer ring                       │
│                                              │                   │
│                                              v                   │
│                    [Network Upload Pipeline]                     │
│                         (Traced in binary)                       │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

**Date:** 2025-12-30 **Investigation:** Facebook iOS v345.0 Surveillance Analysis

Runtime Evidence Collected

This document summarizes all runtime instrumentation evidence correlated across agent analyses.

Call Count Summary

Method	Call Count	Context	Agent Source
`startAudioCaptureWithEchoCancellationEnabled:`	50,700+	Passive feed browsing	H5, SA-002
`enableEditingMicrophoneVolume:volumeMultiplier:`	50,700+	Mic volume manipulation	H5, SY-001
`isAudioCaptureRunning`	874,700+	Polling loop (persistent check)	H5, SA-002
`createAudioPipelineIfNecessaryAndResume`	600+	Pipeline creation	H5
`rtcClientDeactivated`	9,900+	In 35 seconds	Addendum-Ring-Buffer
Background wakeups	3,751/sec	25x over iOS limit (150/sec)	SY-001

Crash Log Analysis

Metric	Value	Source
Crash samples analyzed	16	CrashReporter
AVAudioSession thread present	14/16 (87.5%)	SY-001
Audio activity during normal browsing	Confirmed	Crash thread analysis

Runtime States Observed

Audio Session State

State	Value	Duration	Significance
`allowCallKitActiveAdjust`	`false`	39+ minutes	Bypass without legitimate call
`isCallKitActive`	`null`	Throughout	No VoIP call active
Category declared	`Ambient`	Continuous	Hides mic access
Category actual	`PlayAndRecord` via FBARK	Continuous	Actual mic enabled

Feed Audio Client

Event	Description
`newsFeedWasPresented`	Audio client activated when feed visible
`_applicationDidBecomeActive`	Audio client reactivated on foreground
`_activateFeedAudioClient:`	Internal method to activate feed audio

TCC (Privacy Permission) Status

Permission	Value	Meaning
Microphone	`auth=2`	ALLOWED
Camera	`auth=2`	ALLOWED
Contacts	`auth=2`	ALLOWED
Photos	`auth=3`	LIMITED

Audio Pipeline Runtime Flow

Plain Text

[App Launch]
       |
       v
[newsFeedWasPresented] ──> FBFeedAudioSessionClient activated
       |
       v
[createAudioPipelineIfNecessaryAndResume] ──> 600+ calls
       |
       v
[startAudioCaptureWithEchoCancellationEnabled:] ──> 50,700+ calls
       |
       v
[isAudioCaptureRunning] polling ──> 874,700+ calls
       |
       v
[rtcClientDeactivated] cycling ──> 9,900+ events in 35 sec
       |
       v
[Background wakeups] ──> 3,751/sec (25x iOS limit)

Evidence Chain: Runtime → Binary Correlation

Chain 1: Audio Capture Correlation

Runtime Evidence	Binary Evidence	Correlation
50,700+ capture calls	`FBCCAudioCapturer` class	Method exists, called
Echo cancellation enabled	`startAudioCaptureWithEchoCancellationEnabled:`	Method signature matches
Mic volume adjustment	`enableEditingMicrophoneVolume:volumeMultiplier:`	50,700 calls

Chain 2: Category Spoofing Correlation

Runtime Evidence	Binary Evidence	Correlation
Ambient category declared	`AVAudioSessionCategoryAmbient` at 0x0136c0d0	String present
Mic actually active	`MicrophoneBuiltIn` in port description	Device reports mic
FBARK controller	`FBARKAudioSessionController`	Separate mic access path

Chain 3: Remote Control Correlation

Runtime Evidence	Binary Evidence	Correlation
Config values changing	`FBMobileConfigContextManager`	Manager class exists
Audio toggled programmatically	`SoundToggleSettingOnProgrammatically`	Enum value at 0x31891422
MQTT messages	100+ MQTT references	Infrastructure present

Chain 4: Indicator Suppression Correlation

Runtime Evidence	Binary Evidence	Correlation
No orange dot during capture	`should_hide_microtray` flag	Server-controlled
CallKit bypass active	`allowCallKitActiveAdjust: false`	39+ minute duration
No legitimate call	`isCallKitActive: null`	Bypass without purpose

Wakeup Violation Analysis

iOS Background Limit

undefined

Wakeup Sources (Inferred)

undefined

Runtime Evidence Grades by Hypothesis

Hypothesis	Runtime Evidence Grade	Notes
H1: Microphone Capture	A	50,700+ capture calls, 87.5% crash thread presence
H2: Indicator Suppression	A	39+ minute bypass, no legitimate call
H3: Steganography	B	Indirect - requires extraction verification
H4: Network Exfiltration	B	Binary paths traced, need packet capture
H5: Remote Control	A	Flag changes correlated with capture behavior

Data Flow Summary

Plain Text

┌─────────────────────────────────────────────────────────────────┐
│                     RUNTIME OBSERVED FLOW                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  [Feed Scroll] ──> [Shimmer UI] ──> [Audio Client Activated]    │
│                                              │                   │
│                                              v                   │
│                    [startAudioCaptureWithEchoCancellation]       │
│                                   (50,700+ calls)                │
│                                              │                   │
│                                              v                   │
│                    [isAudioCaptureRunning polling]               │
│                                   (874,700+ calls)               │
│                                              │                   │
│                                              v                   │
│                    [Background wakeups: 3,751/sec]               │
│                                   (25x iOS limit)                │
│                                              │                   │
│                                              v                   │
│                    [Audio Buffer Processing]                     │
│                         Triple-buffer ring                       │
│                                              │                   │
│                                              v                   │
│                    [Network Upload Pipeline]                     │
│                         (Traced in binary)                       │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Conclusion

The runtime evidence forms a complete chain from user interaction (feed scroll) to audio capture infrastructure, with quantitative measurements proving:

undefined

This runtime data corroborates the static binary analysis and elevates H1 (Microphone Capture) and H5 (Remote Control) above their evidence thresholds.

*Runtime Chains Summary - Generated 2025-12-30*

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Phase 2

Technical Diagrams

Code Evidence

Runtime Evidence Collected

Call Count Summary

Crash Log Analysis

Runtime States Observed

Audio Session State

Feed Audio Client

TCC (Privacy Permission) Status

Audio Pipeline Runtime Flow

Evidence Chain: Runtime → Binary Correlation

Chain 1: Audio Capture Correlation

Chain 2: Category Spoofing Correlation

Chain 3: Remote Control Correlation

Chain 4: Indicator Suppression Correlation

Wakeup Violation Analysis

iOS Background Limit

Wakeup Sources (Inferred)

Runtime Evidence Grades by Hypothesis

Data Flow Summary

Conclusion

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Agent Handoff Document