Hector Martin

How many of your raspis have an mmc1? I can give you a file system dump but it won’t help much as the fun stuff is loaded into a ramdisk from inaccessible hidden partition and only the unmodified components are available to dump. Offline forensics won’t make much headway.

Seriously, you have *no excuse* for this stuff. The moment you saw "mmc1" you should've looked at sysfs to find out what that is used for, or the device tree to figure out how it's configured. This is just shoddy research. https://github.com/raspberrypi/linux/blob/rpi-4.14.y/arch/arm/boot/dts/bcm2837-rpi-3-b.dts …

Don't care what it's used for there, as long as adversary has multiple control links in (probably multiple operators). Static thinking again. A few lines of code and dev will deploy other use in 15 minutes. Analysis needs to wait for control neutralization/isolation.

You said "How many of your raspis have an mmc1?" and I explained to you how the answer is ALL OF THEM (of this model). Are you going to ever admit you confused something completely benign for an IOC, or just keep bullshitting forever?

Look at some raspi boot dmesgs and you will get what I'm talking about. I do that so often I can sometimes pick out lines that are wierd as it scrolls by even. Please stop being patronizing. Maybe these folks are already on your some of your computers. Would you know?

I'm still waiting for a single piece of verifiable evidence that something is out of place. Where are these "weird" boot logs? Perhaps you should start considering that if everyone else can find a benign explanation for everything you point out, maybe the problem is in your head.

You seem to think my job is to convince you. My task's securing my computers. Ocasionally advice for others own good/public benefit. And pick big problems/threats for conferences so folks can work on. You think I'm crazy? Enjoy life in the Prepositioned Cyberasset Club.