Introduction to ARM TrustZone and Android TEE

ARM TrustZone technology is a hardware-enforced security extension integral to modern System-on-Chips (SoCs), especially prevalent in Android devices. It partitions the SoC into two distinct worlds: the ‘Normal World’ and the ‘Secure World’. The Normal World runs the standard operating system (like Android), while the Secure World hosts a Trusted Execution Environment (TEE), which executes sensitive operations in isolation. This separation provides a robust foundation for critical security features such as secure boot, digital rights management (DRM), biometric authentication, and cryptographic operations.

What is TrustZone?

TrustZone creates a hardware-level separation, ensuring that code and data within the Secure World are protected from attacks originating in the Normal World. This protection is achieved through a ‘Secure Monitor’ mode, which acts as a gatekeeper, mediating transitions between the two worlds via Secure Monitor Calls (SMCs). Trusted Applications (TAs), running within the TEE, perform specific security-critical tasks.

Why Reverse Engineer TEE?

Reverse engineering TEE images is crucial for security researchers, penetration testers, and vulnerability analysts. It allows for:

• Identifying potential vulnerabilities in trusted applications or the TEE kernel itself.
• Understanding the implementation details of proprietary security features.
• Analyzing secure boot processes and cryptographic key management.
• Bypassing or manipulating DRM mechanisms for research purposes.

Identifying TrustZone Images on Android SoCs

The first step in reverse engineering TEE images is locating them on an Android device. These images are typically part of the device’s firmware and are loaded early in the boot process by the bootloader. Common locations and partition names vary by SoC vendor (Qualcomm, MediaTek, Samsung Exynos) but follow general patterns.

Common Locations and Partition Names

On Qualcomm-based devices, which are a common target for TEE research, TrustZone images are frequently found in partitions such as:

• tz: The primary TrustZone image containing the TEE OS and core TAs.
• sbl1, sbl2, sbl3 (Secondary Bootloader): Older devices might embed TEE components within these.
• xbl (eXtensible Bootloader): Modern Qualcomm devices often use xbl to consolidate early boot stages, and TEE components can be part of this monolithic image.
• abl (Android Bootloader): Sometimes, the TrustZone image or its loader might be linked here.

You can list partitions on an Android device using adb shell ls -l /dev/block/by-name or by examining the device’s partition table (GPT) in recovery mode or through a custom kernel.

Firmware Image Formats

TrustZone images are not always standard ELF binaries. They often come encapsulated in proprietary formats, especially when part of a larger bootloader image. Common characteristics include:

• **Proprietary Headers**: Vendors like Qualcomm use custom headers (e.g., QSEECOM, AHAB) that describe the image’s layout, load addresses, and authentication information.
• **ELF Containers**: Many TEE images, once extracted from their proprietary wrappers, are standard ARM ELF (Executable and Linkable Format) binaries.
• **Raw Binary**: Sometimes, especially for smaller components or early boot stages, the image might be a raw binary blob.

Tools and Techniques for Extraction

Acquiring the Firmware Image

The easiest way to get the firmware image is to dump it directly from the device via ADB if you have root access. For example, to dump the tz partition:

adb shell

        
        
        

            

                
            
            

                
Android Mobile Specs & Compare Directory
                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!
                Compare Devices Specs →