Android Hardware Reverse Engineering

Persistent TEE Exploitation: Building Hardware Backdoors for TrustZone Access

By Antigravity Research Published May 29, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Persistent TEE Exploitation

The ARM TrustZone technology has become a cornerstone for security in modern System-on-Chips (SoCs), particularly within Android devices. It partitions the system into a Normal World (where the OS runs) and a Secure World (hosting the Trusted Execution Environment, TEE) to protect sensitive operations like digital rights management (DRM), secure boot, and cryptographic key management. While software vulnerabilities within the TEE are frequently targeted, achieving persistent control often requires more sophisticated approaches. This article delves into the realm of hardware-level exploitation to establish persistent backdoors within the TrustZone TEE, bypassing typical software protections and surviving system resets or updates.

Understanding ARM TrustZone and the TEE

ARM TrustZone operates on the principle of isolation. A single physical CPU core provides two virtual execution environments: the Normal World and the Secure World. A special component called the Monitor Mode controls transitions between these worlds. The Secure World hosts the TEE, an isolated environment where trusted applications (TAs) execute, handling sensitive data and operations critical to the device’s security posture. Examples include OP-TEE, Trusty TEE, and various vendor-specific implementations.

The integrity of the TEE is paramount. If an attacker can inject malicious code or subvert its execution, they gain access to protected resources, compromise cryptographic operations, or even disable secure boot mechanisms, leading to a complete compromise of the device’s security.

The Hardware Threat Model: Why Go Beyond Software?

Software-only exploits, while powerful, often suffer from transience. A system reboot, a firmware update, or even a factory reset can erase the attacker’s foothold. Hardware backdoors, however, offer a level of persistence that software exploits cannot match. By physically modifying the device or its firmware at a low level, an attacker can embed malicious logic that executes even before the main operating system boots, or within the secure boot chain itself.

Primary hardware vectors for persistent TEE exploitation include:

  • Debug Interface Abuse: Leveraging interfaces like JTAG or SWD for direct memory access and control.
  • Non-Volatile Memory (NVM) Manipulation: Physically accessing and modifying the flash memory (eMMC, UFS, NAND) that stores critical bootloaders and TEE images.

Exploitation Vector 1: Debug Interface Abuse (JTAG/SWD)

JTAG (Joint Test Action Group) and SWD (Serial Wire Debug) are industry-standard debug interfaces found on most SoCs. Designed for development and testing, they provide powerful capabilities:

  • Reading and writing CPU registers and memory.
  • Setting breakpoints and single-stepping through code.
  • Controlling peripheral devices.

On production devices, these interfaces are typically disabled or protected by fuses and authentication mechanisms. However, in many cases, especially on less secure consumer-grade hardware or development boards, these protections might be weak or absent.

Identifying and Connecting via JTAG/SWD

The first step involves identifying the JTAG/SWD pins on the target PCB. This can be done by inspecting device schematics (if available), analyzing public teardowns, or physically tracing PCB traces from known SoC pinouts. Once identified, a hardware debugger like an FT2232H-based adapter, J-Link, or Bus Pirate can be used to connect.

Example JTAG Connection with OpenOCD:

# Assuming an FT2232H-based adapter and a target with Cortex-A cores
# openocd -f interface/ftdi/jtag-lock-pick_tiny.cfg -f target/arm_cortex_a.cfg
Open On-Chip Debugger 0.11.0
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
jtag_lock_pick_tiny
Info : ftdi:tms_delay cycles: 1
Info : clock speed 1000 kHz
Info : JTAG tap: auto0.tap - tap/device found: 0x4ba00477 (IR length 4)
Info : JTAG tap: auto1.tap - tap/device found: 0x5ba00477 (IR length 4)
Info : auto0.tap: Arm Cortex-A7 r0p5
Info : auto1.tap: Arm Cortex-A7 r0p5
Info : auto0.tap: Core ID is 0x4ba00477
Info : auto1.tap: Core ID is 0x5ba00477
Info : auto0.tap: Using core 'auto0.tap'
Info : auto1.tap: Using core 'auto1.tap'
# Once connected, you can halt the CPU and interact with memory
> halt
> mdw 0x10000000 16  # Read 16 words from address 0x10000000

If debug authentication is enabled, bypassing it is an advanced challenge. Techniques might include voltage glitching during boot to temporarily disable fuses, or leveraging physical access to enable debug pins that were intended to be disabled.

Exploitation Vector 2: Firmware Modification on Non-Volatile Memory (NVM)

The most robust method for persistent TEE exploitation involves directly modifying the non-volatile memory (eMMC, UFS, or NAND flash) where the secure bootloaders and TEE images reside. This allows for injecting malicious code that executes as part of the trusted boot chain.

Step 1: Physical Access and Memory Dump

The first step requires desoldering the eMMC/UFS/NAND chip from the target device’s PCB. This delicate process requires specialized hot-air rework stations and soldering skills. Once desoldered, the chip is placed into a universal memory programmer or specialized eMMC/UFS reader (e.g., Z3X EasyJTAG, UFI Box, Medusa Pro). The entire contents of the chip are then dumped to a file.

# Conceptual steps for dumping eMMC via programmer
# 1. Desolder eMMC chip from device.
# 2. Place chip into compatible eMMC socket on programmer.
# 3. Use programmer software to dump entire chip contents.
# Example command (programmer specific, conceptual):
# easyjtag --read_full_dump --output_file my_device_emmc_dump.bin

Step 2: Reverse Engineering the TEE Image

With the full memory dump, the next task is to locate and reverse engineer the TEE image and related secure boot components. Key partitions to identify include:

  • RPMB (Replay Protected Memory Block): Stores critical cryptographic keys and counters.
  • tz, trustzone, tee_a (or similar): Partitions containing the TEE operating system and trusted applications.
  • Bootloader partitions (e.g., abl, xbl, sbl): Containing the initial boot code that verifies and loads the TEE.

Tools like IDA Pro or Ghidra are essential for analyzing the dumped binaries. The focus should be on:

  • Identifying the TEE’s entry points and its communication interface with the Normal World (e.g., SMC calls).
  • Locating where Trusted Applications (TAs) are loaded and their signature verification mechanisms.
  • Analyzing the secure boot process to understand how the TEE’s integrity is verified.

Step 3: Injecting the Malicious Code

The objective is to introduce a persistent backdoor. Common approaches include:

  1. Modifying an existing Trusted Application: Injecting malicious functionality into a legitimate TA to give it unintended capabilities or create a secret communication channel.
  2. Creating a new Malicious Trusted Application: Developing a custom TA that exposes a

    Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Hardware Exploitation #Reverse Engineering #TEE #TrustZone

Related Technical Guides

Troubleshooting JTAG Connectivity for Android SoCs: Common Pitfalls & Fixes

May 30, 2026

Automating JTAG for Android: Scripting Memory Dumps & Firmware Patching

May 29, 2026

Troubleshooting Common eMMC Read Errors: A Guide for Android Hardware Reverse Engineers

May 29, 2026