Android Hardware Reverse Engineering

Demystifying TZOS Firmware Extraction on Qualcomm Platforms: A Practical Guide

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Enigma of Qualcomm TrustZone OS

Qualcomm’s TrustZone technology is a fundamental cornerstone of modern Android device security. It establishes a ‘Secure World’ alongside the ‘Normal World’ (where Android runs), leveraging ARM’s TrustZone extensions. Within this Secure World operates the TrustZone Operating System (TZOS), a microkernel-based environment hosting critical security services such as secure boot verification, cryptographic operations, DRM, and secure key storage. For security researchers, reverse engineers, and forensic analysts, understanding and extracting the TZOS firmware is a crucial step towards identifying vulnerabilities, analyzing security mechanisms, or recovering vital data.

However, extracting TZOS firmware presents significant challenges due due to robust hardware and software protections. This guide aims to demystify the process, offering practical, expert-level techniques for both software and hardware-based firmware extraction on Qualcomm platforms.

Understanding Qualcomm’s TrustZone Architecture

At its core, ARM TrustZone technology partitions the system into two execution environments: the Normal World and the Secure World. Qualcomm’s implementation places its TZOS (often referred to as QSEE – Qualcomm Secure Execution Environment) within the Secure World, specifically running at EL1 Secure (EL1s). Communication between the Normal World (e.g., Android kernel and user space applications) and the Secure World occurs via Secure Monitor Calls (SMCs) handled by the Secure Monitor (EL3).

Key components resident in the Secure World include:

  • TZOS (QSEE): The secure microkernel managing secure applications (Trustlets).
  • Trustlets (Secure Applications): Small, specialized applications performing sensitive tasks (e.g., fingerprint authentication, DRM, secure payment processing).
  • Secure Boot: A chain of trust ensuring only authenticated firmware components load from bootloader (SBL) to TZOS and kernel.
  • Hardware Crypto Engines: Dedicated hardware for accelerated cryptographic operations.

The TZOS firmware is typically stored in dedicated partitions on the eMMC/UFS storage, alongside other critical boot components.

Prerequisites for Firmware Extraction

Before attempting extraction, ensure you have the necessary tools and understanding:

Software Prerequisites:

  • A rooted Android device (for software-based methods).
  • ADB (Android Debug Bridge) and Fastboot tools.
  • A Linux-based host machine.
  • Basic knowledge of Linux shell commands and Android partitioning.
  • Binary analysis tools like IDA Pro or Ghidra for post-extraction analysis.

Hardware Prerequisites (for hardware-based methods):

  • eMMC/UFS programmer (e.g., Easy JTAG Plus, Z3X EasyJTAG, Medusa Pro).
  • Soldering equipment (hot air station, soldering iron) for chip-off.
  • JTAG/SWD debugger (e.g., J-Link, OpenOCD with compatible probes) – highly situational.

Method 1: Software-Based TZOS Extraction (Live Device)

Software-based extraction relies on privileged access to a running device, typically achieved through rooting or exploiting kernel vulnerabilities.

Step-by-Step: Dumping Partitions via ADB

The most straightforward (though often restricted) software method involves directly accessing the device’s storage partitions. Modern Qualcomm devices employ robust memory protection, but older devices or devices with specific kernel vulnerabilities might allow this.

  1. Identify TZOS Partitions: Connect your rooted device via ADB and list the block devices to find partitions related to TrustZone. Common partition names include tz, hyp, aop, rpm, and sometimes components within the modem partitions. The exact path may vary (e.g., /dev/block/mmcblk0pXX or /dev/block/sdaXX for UFS, or via symlinks in /dev/block/platform/*/by-name/). 
    adb shell
ls -l /dev/block/platform/*/by-name/

    Look for entries like lrwxrwxrwx root root 2015-01-01 08:00 tz -> /dev/block/mmcblk0p28. The tz partition is your primary target. Others like hyp (hypervisor) and aop (always-on processor) might also contain secure firmware.

  2. Dump the Partition: Use the dd command to dump the raw contents of the identified partition to the device’s accessible storage (e.g., /sdcard/). 
    adb shell
dd if=/dev/block/platform/soc/1a00000.ufs/by-name/tz of=/sdcard/tz_image.bin
exit
  3. Retrieve the Image: Pull the dumped file from the device to your host machine. 
    adb pull /sdcard/tz_image.bin .

Considerations for Software-Based Extraction:

This method is highly dependent on kernel permissions. On many modern devices, even with root, direct read access to these critical partitions is blocked by kernel drivers or SELinux policies, preventing unauthorized dumping. Exploiting specific kernel vulnerabilities (e.g., an arbitrary physical memory read exploit) would be required to bypass these protections.

Method 2: Hardware-Based TZOS Extraction (Dead Device/Forensics)

Hardware-based extraction is generally more reliable as it bypasses software protections, but requires physical access and specialized equipment.

Step-by-Step: eMMC/UFS Chip-Off Forensics

This is the most common and effective hardware method for obtaining raw firmware images.

  1. Device Disassembly: Carefully disassemble the target device to expose the main PCB.
  2. Chip Identification: Locate the eMMC (Embedded MultiMediaCard) or UFS (Universal Flash Storage) chip. These are typically square, multi-pin packages often marked with vendor names like Samsung, SK Hynix, Micron, or Kioxia.
  3. Chip-Off: Using a hot air station, carefully desolder the eMMC/UFS chip from the PCB. This requires precision to avoid damaging the chip or surrounding components.
  4. Data Extraction with Programmer: Place the desoldered chip into a compatible socket on an eMMC/UFS programmer.
  5. Dump Raw Image: Use the programmer’s software to read out the entire raw contents of the chip. This will yield a large binary file representing the entire device storage (often several GBs). 
    # Example conceptual command from programmer software
programmer_tool --device-type UFS --read-full-dump --output raw_ufs_dump.bin

Step-by-Step: JTAG/SWD Debugging (Advanced & Rare)

JTAG (Joint Test Action Group) or SWD (Serial Wire Debug) provides a low-level interface for debugging and memory access. On retail devices, these interfaces are almost always disabled (debug fuses are blown) for security. However, on engineering samples or development boards, it might be possible.

  1. Locate Debug Pads: Identify the JTAG/SWD test points on the PCB (TCK, TMS, TDI, TDO for JTAG; SWDIO, SWCLK for SWD).
  2. Connect Debugger: Solder wires or use a pogo-pin adapter to connect your JTAG/SWD debugger (e.g., J-Link, ST-Link, or an OpenOCD-compatible probe) to the identified pads.
  3. Establish Connection: Use debugging software (e.g., GDB with OpenOCD) to establish a connection to the CPU.
  4. Memory Dump: If successful, you may be able to read specific memory regions. The TZOS code typically resides in RAM after boot, loaded from storage. Identifying the correct physical address ranges is critical. This often involves analyzing memory maps obtained from other means or through dynamic debugging. For example, to dump 1MB from address 0x80000000: 
    # OpenOCD command example
init
reset halt
dump_image tz_ram_dump.bin 0x80000000 0x100000

    This method is highly complex and rarely feasible on production hardware due to security measures.

Analyzing the Extracted Firmware

Once you have a raw binary image (either from software dump or chip-off), the next step is analysis.

  1. Partition Analysis (for raw chip dumps): Use tools like fdisk -l or specialized disk image analysis tools to identify the GPT (GUID Partition Table) within the raw dump. Locate the ‘tz’ (or equivalent) partition. 
    # Example using fdisk on a loop device for a raw dump
sudo losetup -f --show raw_ufs_dump.bin
sudo fdisk -l /dev/loop0
# Calculate offset and size for the 'tz' partition
# Then use dd to extract the partition:
dd if=raw_ufs_dump.bin of=tz_partition.bin bs=512 skip=<start_sector> count=<num_sectors>
  2. File Type Identification: Use the file command to determine the format of the extracted tz_image.bin (or tz_partition.bin). It will likely be an ELF (Executable and Linkable Format) file, or a raw binary. If it’s a multi-component firmware, you might need to carve out individual modules.
  3. Disassembly and Decompilation: Load the firmware image into a powerful disassembler and decompiler like IDA Pro or Ghidra. Configure the correct architecture (AArch64 for modern Qualcomm SoCs).
  4. Identify Key Components:
    • Entry Points: Find the initial code execution point.
    • SMC Handlers: Identify functions responsible for handling Secure Monitor Calls.
    • Trustlets: Look for specific headers or structures that indicate embedded Trustlets. These are often separate ELF binaries or custom formats within the main TZOS image.
    • Cryptographic Routines: Identify functions responsible for encryption, decryption, hashing, and key management.
  5. Reverse Engineering Logic: Dive into the assembly and pseudocode to understand the functionality of different components, the communication protocols between Trustlets and the Normal World, and potential vulnerabilities.

Challenges and Countermeasures

Qualcomm employs several robust security features to prevent TZOS extraction and tampering:

  • Secure Boot: Ensures only cryptographically signed code can execute, preventing unauthorized firmware from loading.
  • Memory Protection: Sophisticated MMU/MPU configurations restrict Normal World access to Secure World memory.
  • Hardware Fuses: One-time programmable fuses can permanently disable debug interfaces (JTAG/SWD) and enforce secure boot.
  • Firmware Encryption: In some advanced implementations, portions of the firmware itself might be encrypted on disk, requiring a key only available in the Secure World or during boot.
  • Anti-Tampering Measures: Mechanisms to detect physical tampering or unauthorized software modification.

Conclusion

Extracting Qualcomm TZOS firmware is a challenging but rewarding endeavor, offering deep insights into the foundational security mechanisms of Android devices. While software-based methods are often hindered by robust protections, hardware-based chip-off forensics remains a reliable technique for obtaining raw firmware images. The subsequent analysis with tools like IDA Pro and Ghidra is critical for uncovering vulnerabilities, understanding secure boot processes, and advancing the state of mobile security research. Always ensure any research is conducted ethically and responsibly.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Firmware Extraction #Qualcomm TrustZone #Reverse Engineering #TZOS

Related Technical Guides

Dump Android Firmware via SWD: Hands-on Tutorial for Memory Extraction

May 29, 2026

Ultimate Guide: How to Trigger MediaTek BROM Mode & Bypass SLA/DA for Bootrom Access

May 30, 2026

Chemical Delidding Secrets: Safely Decapping Android SoCs Without Damaging the Die

May 29, 2026