Post cover image

June 2, 2026

Part 6— I Tore It Apart. Here’s What Was Really Inside the Fake Galaxy “S25” Ultra

If you’ve been following this series, you already know what this device did in software. It spoofed its identity. It embedded surveillance…

C. Oscar Lawshea

6 min read

If you've been following this series, you already know what this device did in software. It spoofed its identity. It embedded surveillance payloads with irrevocable system permissions. It attempted cellular fallback the moment I put it on a monitored network. Parts 1 through 4 told that story in detail and it was bogus enough on its own.

But I needed to see the hardware.

Because software lies gracefully. Software hides. What's inside the chassis doesn't lie; it just sits there, exposed under the work light, telling you exactly what it is.

So, I got out my heat plate, set it to 54°C, grabbed the pry picks, and opened it up. What I found was worse than I expected.

The Setup

For anyone curious about the process: phone teardowns require patience and heat. The adhesive holding the back glass softens at around 50–60°C — enough to work a pick into the seam without cracking the panel.

None None

I set up a silicone repair mat, an electric precision screwdriver kit, anti-static tweezers, and a set of spudgers. Same toolkit I used back in my T-Mobile repair days. The process is methodical. You document as you go. I documented everything.

None

First Red Flag: The Chassis Labels

Before I even reached the motherboard, the chassis itself gave things away.

None

The internal frame is stamped S3RQ-GWBFJ-V1.0 and S3RQ-GSM-V1.0. These aren't Samsung part numbers. Samsung uses a completely different internal naming convention across its supply chain, nothing in their documented teardowns or repair manuals matches this format. What you're looking at is a generic Chinese OEM chassis designation. The same kind you'd find on dozens of budget white-label devices built on shared tooling out of Shenzhen.

The frame that's supposed to say "flagship" says "generic" the moment you look past the surface.

None

The Motherboard: Meet the Real Brain

Here's where it gets definitive.

None

Affixed to the motherboard is a hand-written label. I photographed it clearly:

None

OMG (3GB+64/4M) RK1RQ V707IK V6.0 ATA i(10) 022A DL_H_BT_MMI

Let's talk about what that means.

RK1RQ is a Rockchip processor. Rockchip is a Chinese fabless semiconductor company that makes budget SoCs primarily for low-cost tablets, set-top boxes, and entry-level Android devices. It has absolutely nothing to do with Samsung's Snapdragon 8 Elite that the S25 Ultra actually runs. The performance gap between these two chips isn't marginal. It's generational. You're comparing a bicycle to a sports car and calling them the same vehicle.

3GB RAM. 64GB storage. The real Samsung Galaxy S25 Ultra ships with a minimum of 12GB RAM and 256GB storage. What's inside this device would struggle to run modern Android smoothly — let alone the AI-powered camera system it's pretending to have.

The "OMG" prefix on that label feels almost intentional.

The Camera Fraud — This One Stopped Me Cold

I want to be precise here because this detail matters.

The back of this device presents five camera openings. Five individual lens housings, complete with gold trim rings, protective glass, and the visual language of a flagship multi-camera system. From the outside, it's convincing. I've shown this phone to people who do repairs for a living and they didn't immediately clock it as fake.

None

After disassembly, I pulled the actual camera modules.

There are two.

One rear camera. One front camera.

None

The remaining lens openings, three of them, are decorative fills. Plastic or glass seated in a housing with nothing behind it. No sensor. No flex cable. No module of any kind. Just the appearance of a camera where a camera should be.

None None None

Think about the engineering decision that represents. Someone at a factory designed a lens bracket with three dummy positions specifically to deceive buyers into believing this device has capabilities it will never have. This isn't a cost-cutting compromise. This is deliberate fraud built into the industrial design. The software was spoofing identity. The hardware was doing the same thing. At least they're consistent.

The Build Quality: Engineered to Be Disposable

Here's something that surprised me, not because it was shocking, but because of what it implies.

In legitimate smartphones, even cheap ones, internal components connect via modular connectors. ZIF sockets. Pressure contacts. This is how repair is made possible. Screen cracked? Disconnect the display cable, swap the panel, reconnect. Battery degraded? Pop the connector, replace it. This is standard across the industry.

This device operates on a different philosophy entirely.

The battery is soldered directly to the daughter board. The daughter board ribbon cable is soldered in. The screen connection is soldered. None of these components detach cleanly. When I attempted to work them loose for documentation, the ribbon began to tear.

None None

This device cannot be repaired. By anyone. Ever.

When you put that fact next to the firmware, the surveillance payloads, the identity spoofing, the cellular fallback behavior; a picture comes together. This wasn't designed to be a phone someone owns and maintains over time. It was designed to be used for a window of time, during which the firmware does what it was built to do, and then discarded when it inevitably fails.

The hardware and the software are telling the same story. They just tell it in different languages.

The Battery: One More Lie

None None

The battery label reads H45565P-34W-S2. I scanned the QR code on both the module and battery directly; it returned a generic manufacturing serial: A22241MB125072 and RA10–120250116. No Samsung lineage. No service pack designation. Nothing.

Breaking down the format:

  • RA10 — likely an internal factory model code
  • 12 — probably December
  • 02 — likely 2nd batch/lot
  • 2025 — manufacture year 2025
  • 0116 — possibly a sequential unit number

It reads like an internal factory batch code, not a consumer-facing part number at all. This battery was manufactured for internal use in a specific production run and was never assigned a legitimate retail or OEM part designation.

For reference, the real Samsung Galaxy S25 Ultra battery carries part number EB-BS938ABE, service pack code GH82–36389A, 5,000mAh, documented and verifiable across Samsung's repair ecosystem.

The closest Samsung part number containing "910" that actually exists? EB-BR910ABY, a 410mAh cell designed for the Galaxy Watch 5 smartwatch.

What's soldered into this device isn't a phone battery with a known spec sheet. It's an unbranded generic cell of unknown capacity and unknown origin, permanently installed in a device that can never have it replaced. A black rectangle with a number on it, and that number doesn't belong to anything real.

What This All Adds Up To

Parts 1 through 4 told you what this device does when it's running, the surveillance architecture, the identity spoofing, the network evasion. Part 6 tells you what it is underneath all of that.

A Rockchip budget SoC dressed in Samsung clothing. Three fake cameras behind real-looking glass. Soldered internals designed to prevent repair and guarantee disposal. An unbranded battery with no lineage and no replacement path. A chassis stamped with OEM codes that have nothing to do with Samsung's supply chain.

From the outside, it's a flagship. Inside, it's a trap; hardware designed to be believed just long enough, and software designed to take everything it can while you believe it.

The seller is gone from Temu. The 942 units they sold are still out there. And every person who bought one and signed into their Google account, their bank app, their social media, handed that access to a device engineered specifically to receive it.

What's Next

There's one more thread I haven't pulled yet.

During the teardown, I identified what appear to be exposed UART test points on the motherboard, labeled RX, TX, and GND. UART is a serial communication interface used during device development and manufacturing. Finding accessible, labeled UART pads on a consumer device means one thing: There may be a debug shell waiting behind those pins…

None

If you made it this far, QuantumFeed was built for exactly the threat landscape this device represents, real-time CVE tracking, AI-powered security briefs, and threat intelligence that doesn't wait for you to go looking for it. It's available now on Google Play.