Discovery: Google Messages writes ALL RCS messages to content://mms/
as MMS records. Message body in content://mms/{id}/part (ct=text/plain).
RCS metadata (group name, SIP URI) protobuf-encoded in tr_id field.
Sender addresses in content://mms/{id}/addr.
Tested on Pixel 10 Pro Fold, Android 16, Feb 2026 patch — works at
UID 2000 with zero exploits, zero root, zero Shizuku.
New methods:
- read_rcs_via_mms(): extract RCS+MMS with body, addresses, metadata
- read_rcs_only(): filter to RCS messages only (proto: in tr_id)
- read_rcs_threads(): unique conversation threads with latest message
- backup_rcs_to_xml(): full SMS+MMS+RCS backup in SMS Backup & Restore XML
Fixed _content_query() Windows quoting (single quotes for sort/where).
New routes: /rcs-via-mms, /rcs-only, /rcs-threads, /backup-rcs-xml
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CVE-2025-48543 (ART UAF → system UID):
- Works on Android 13-16 with patch < September 2025
- System UID (1000) can read any app's /data/data/ directory
- No bootloader unlock needed, no root needed
- Pushes exploit APK, executes post-exploit script at system level
- Tasks: extract_rcs, extract_app:<pkg>, disable_mdm, shell
extract_rcs_locked_device():
- Auto-selects best available exploit for the device
- Priority: CVE-2025-48543 → CVE-2024-0044 → content providers
- Extracts bugle_db + WAL + shared_prefs (key material)
- Falls back to SMS/MMS content providers if all exploits fail
CLI: [r] Extract RCS (auto), [e] CVE-2025-48543
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- bugle_db uses SQLCipher/Android encrypted SQLite, not plaintext
- Root extraction now pulls shared_prefs/ and files/ for key material
- Archon relay prefers decrypted JSON dump from app context over raw DB copy
- Updated module docstrings, web UI descriptions, and user manual
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add WiFi Audit, API Fuzzer, Cloud Scanner, Threat Intel, Log Correlator,
Steganography, Anti-Forensics, BLE Scanner, Forensics, RFID/NFC, Malware
Sandbox, Password Toolkit, Web Scanner, Report Engine, Net Mapper, and
C2 Framework. Each module includes CLI interface, Flask routes, and web
UI template. Also includes Go DNS server source + binary, IP Capture
service, SYN Flood, Gone Fishing mail server, and hack hijack modules
from v2.0 work.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Threat Monitor: 7-tab monitoring page (live, connections, network intel,
threats, packet capture, DDoS mitigation, counter-attack) with real-time
SSE streaming and optimized data collection (heartbeat, cached subprocess
calls, bulk process name cache)
- Drill-down popups: Every live monitor stat is clickable, opening a popup
with detailed data (connections list with per-connection detail view,
GeoIP lookup, process kill, bandwidth, ARP spoof, port scan, DDoS status)
- Hal agent mode: Chat routes rewritten to use Agent system with
create_module tool, SSE streaming of thought/action/result steps
- Windows defense module with full security audit
- LLM trainer module and routes
- Defense landing page with platform-specific sub-pages
- Clean up stale files (get-pip.py, download.png, custom_adultsites.json)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Full security platform with web dashboard, 16 Flask blueprints, 26 modules,
autonomous AI agent, WebUSB hardware support, and Archon Android companion app.
Includes Hash Toolkit, debug console, anti-stalkerware shield, Metasploit/RouterSploit
integration, WireGuard VPN, OSINT reconnaissance, and multi-backend LLM support.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
