Android Hardware Reverse Engineering

Hands-On Lab: TrustZone OS Firmware Extraction from Android Devices

By Antigravity Research Published May 29, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to TrustZone and Secure Enclaves

ARM TrustZone technology provides a hardware-enforced isolation mechanism within a single processor core, creating two distinct execution environments: the Normal World and the Secure World. This fundamental separation allows sensitive operations and data to be protected from the potentially compromised Normal World, where the standard Android operating system runs. The Secure World hosts a minimal, highly-privileged operating system, often referred to as a TrustZone OS (TZOS) or Trusted Execution Environment (TEE). Manufacturers like Qualcomm, Samsung, and Huawei implement their own proprietary TZOS solutions, such as QSEE (Qualcomm Secure Execution Environment).

The TZOS is critical for Android device security, handling sensitive tasks like cryptographic key management, DRM content protection, biometric authentication, secure boot, and hardware-backed attestation. A compromise of the TZOS could undermine the entire security model of the device, making it a prime target for security researchers and attackers alike.

Why Extract TrustZone OS Firmware?

Security Vulnerability Research

Extracting TZOS firmware is a crucial first step for security researchers aiming to discover vulnerabilities. By reverse engineering the firmware, researchers can identify potential flaws, such as buffer overflows, cryptographic implementation errors, or design weaknesses that could lead to privilege escalation or information leakage from the Secure World. This analysis helps in understanding the attack surface and developing proof-of-concept exploits.

Reverse Engineering and Analysis

For those interested in understanding the inner workings of Android security, TZOS firmware provides a wealth of information. It allows for the study of proprietary implementations of secure services, cryptographic primitives, and secure bootloaders. This deep dive can reveal vendor-specific security features, architectural choices, and potential deviations from standard practices, which might be useful for both offensive and defensive security purposes.

Forensic Analysis

In digital forensics, extracted TZOS firmware can be invaluable. It can help in understanding how secure data is stored, processed, and protected on a device. Analyzing the firmware might reveal hidden data, attack indicators, or methods used by malware to interact with the Secure World, aiding in the reconstruction of attack scenarios and recovery of crucial evidence.

Challenges in TZOS Firmware Extraction

Extracting TZOS firmware is not a trivial task due to several layers of protection:

  • Hardware-level protections: Modern devices employ secure boot mechanisms, fuse blowing, and debug port lockdown (e.g., JTAG/SWD disabled or restricted) to prevent unauthorized access to sensitive memory regions.
  • Software obfuscation: Firmware images are often obfuscated, encrypted, or packed to hinder reverse engineering efforts.
  • Anti-tampering mechanisms: Devices often detect unauthorized modifications or attempts to dump firmware and can self-destruct or lock down.
  • Vendor-specific implementations: Each manufacturer and even different device models can have unique ways of structuring their secure partitions and handling firmware, requiring tailored approaches.

Methodology: Exploiting EDL Mode for Qualcomm Devices

For Qualcomm-based Android devices, a common and effective method for firmware extraction is leveraging the Emergency Download (EDL) mode. EDL mode is a special boot mode designed for low-level device flashing and recovery in factory settings or for unbricking devices. When a Qualcomm device enters EDL mode, it bypasses the normal boot process, allowing direct interaction with the SoC’s boot ROM via the Qualcomm Sahara and Firehose protocols. This mode often provides unrestricted access to internal memory regions, making it an ideal vector for dumping partitions, including the TZOS firmware.

Step-by-Step Lab: TrustZone OS Extraction

This hands-on lab will guide you through extracting TZOS firmware using the `qualcomm-edl` tool, targeting a Qualcomm-based Android device.

Prerequisites

  • An Android device with a Qualcomm chipset. (e.g., older OnePlus, Xiaomi, or Pixel devices that still allow EDL access).
  • A standard USB-A to USB-C/Micro-USB cable.
  • A Linux or Windows PC.
  • Python 3 installed on your PC.
  • Basic command-line familiarity.

Step 1: Install `qualcomm-edl`

The `qualcomm-edl` tool is a Python-based utility that facilitates communication with Qualcomm devices in EDL mode. Install it via pip:

pip install qualcomm-edl

Step 2: Boot Device into EDL Mode

This is often the trickiest part, as methods vary significantly by device:

  • `adb reboot edl` (if enabled): For some rooted devices or those with specific bootloader configurations, you might be able to simply execute: 
    adb reboot edl
  • Test Point Method: This involves physically shorting two specific points (test points) on the device’s PCB while connecting it to a PC via USB. This usually requires disassembling the device. Consult device-specific forums (e.g., XDA Developers) for test point locations.
  • Volume Button Combination: On some devices, holding both Volume Up and Volume Down buttons simultaneously while plugging in the USB cable (or pressing Power) can trigger EDL mode.
  • Deep Sleep Bug/Bootloader Exploit: Some devices have specific software vulnerabilities that can force them into EDL mode without physical access or root. Research your specific device model for known exploits.

Once in EDL mode, your device screen will typically be blank or show a static logo. On your PC, verify the device is recognized:

  • Linux: Check `lsusb`. You should see a Qualcomm device, often listed as `Qualcomm Inc. Gobi, CDMA Technologies` or similar.
  • Windows: Check Device Manager under ‘Ports (COM & LPT)’ for ‘Qualcomm HS-USB QDLoader 9008’.

Step 3: Identify TrustZone Partitions

In EDL mode, we can query the device’s partition table to locate the TZOS firmware. The TrustZone partition is commonly named `tz`, `cdt`, `sbl`, `abl`, or `hyp`. Use `edl printgpt` to list all partitions and their sizes:

edl printgpt

This command will output a list of partitions. Look for partitions with names like `tz` (most common), `hyp` (hypervisor), `sbl1` (secondary bootloader), `abl` (Android bootloader), or `modem`. The `tz` partition is usually the primary TrustZone OS image. Note its size and sector information; these are useful for verification.

Step 4: Extract the TZOS Firmware

Once you’ve identified the target partition (e.g., `tz`), you can use the `edl read` command to dump its contents to a file:

edl read tz tz.img

Replace `tz` with the actual name of your TrustZone partition if it differs. The command will save the raw binary image of the TrustZone OS to `tz.img` in your current directory. For a full memory dump (if supported by your device’s firehose, which offers even more access), you could try:

edl read --memory-dump memory_dump.bin

This will attempt to dump the entire accessible memory, which can be massive but provides a comprehensive look.

Step 5: Initial Analysis

After successfully extracting the firmware, you can perform initial analysis:

  • File Type Identification: Use the `file` command to determine the image’s format: 
    file tz.img

    This often reveals if it’s a raw ARM/AArch64 executable, an ELF file, or a proprietary format.

  • Load into a Disassembler: Open `tz.img` in a disassembler like IDA Pro or Ghidra. You’ll likely need to manually specify the architecture (ARM or AArch64) and the base address (which can sometimes be inferred from the partition table or device documentation). Start by looking for known function signatures, strings, or cryptographic constants to orient yourself.

Conclusion

Extracting TrustZone OS firmware is a critical step for anyone delving into Android’s low-level security. By leveraging tools like `qualcomm-edl` and understanding the nuances of EDL mode, researchers can gain unprecedented access to the Secure World’s logic. This hands-on lab provided a practical guide to obtaining these sensitive binaries, paving the way for in-depth vulnerability research, reverse engineering, and forensic analysis. Remember to always conduct such research ethically and responsibly, adhering to responsible disclosure guidelines if vulnerabilities are discovered.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #EDL Mode #Firmware Extraction #Reverse Engineering #TrustZone

Related Technical Guides

EDL Mode Deep Dive: Exploiting Firehose Protocol for Raw NAND Dumps

May 29, 2026

Uncovering Vulnerabilities: Security Analysis of Android WiFi/BT SPI Flash Firmware

May 30, 2026

From Dead Phone to Data: Advanced Techniques for NAND Flash Chip-Off Acquisition and Analysis

May 29, 2026