That is up for debate as it is a secret kept by the company.

Best guess would be doing some kind of buffer overflow over USB to allow the tool to read the entire storage.

Cellebrite DOES use undisclosed and unpatched vulns (zero days) to access the device’s memory. It absolutely automates hacking a locked phone.

Those kind of capabilities are way out of reach for consumers as those kind of zero days can get security researchers big bounties. I’m sure Cellebrite have their own security researchers.

Cellebrite had a couple products, and they work different.

UFED basically is a backup creator. It use to do more, but Apple and Google security are so go, they basically only use the communication method available in the phone.

Their premium product, Inseyets UFED, is more capable. It uses unknown exploits to accomplish several objectives on the phone - from gaining access to run other exploits, to gaining access to the full file system.

How do the exploits work? No one outside cellebrite knows. If those details got out, the explicit would get patched, and cellebrite would have to find another exploit.