Android Hardware Reverse Engineering

Android HSM Bypass Lab: Fault Injection Attacks for Keymaster Compromise

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Hardware Security and Keymaster

Android’s security architecture heavily relies on hardware-backed keystores to protect cryptographic keys. At the heart of this system lies the Hardware Security Module (HSM), often implemented within a Trusted Execution Environment (TEE) like ARM TrustZone. These HSMs are designed to provide a secure environment where keys can be generated, stored, and used without ever being exposed to the less secure ‘normal world’ operating system.

The Android Keymaster Hardware Abstraction Layer (HAL) is the interface through which applications and the Android OS interact with these hardware-backed keystores. Keymaster is responsible for critical operations such as key generation, key import, key export, cryptographic operations (sign, verify, encrypt, decrypt), and enforcing key usage policies. Compromising the Keymaster means gaining unauthorized access to or control over these cryptographic keys, which can have devastating security implications.

This expert-level guide delves into the fascinating and challenging realm of bypassing Android HSMs using fault injection techniques. Our goal is to demonstrate how controlled environmental stresses, specifically voltage glitches, can disrupt the normal execution flow within the TEE, potentially leading to a compromise of the Keymaster’s integrity and subsequent key extraction or policy bypass.

The Android Keymaster and TrustZone Architecture

Keymaster HAL and its Implementations

The Android Keymaster HAL defines the interface for cryptographic key management. Its implementations can vary:

  • Software-backed: Keys handled entirely within the Android OS process, offering minimal security.
  • TEE-backed: Keys managed by a Trusted Application (TA) running in a TEE (e.g., TrustZone), providing a much higher level of security against software attacks.
  • StrongBox: An even more isolated, dedicated secure element, offering the highest level of hardware-backed security, often with physical tamper resistance.

For this lab, we focus on TEE-backed Keymaster implementations, as these represent the primary target for hardware-level attacks like fault injection.

TrustZone as a Secure Environment

ARM TrustZone technology partitions a single processor into two virtual processors: a ‘Secure World’ and a ‘Normal World’. The Normal World runs the Android OS, while the Secure World hosts critical security functions, including the Keymaster TA. Communication between the Normal World and Secure World is strictly controlled via an ARM Secure Monitor. The TrustZone environment is designed to be highly resilient against software attacks originating from the Normal World, making physical attacks the primary avenue for compromise.

Fault Injection Attacks: A Primer

Fault injection is a class of side-channel attacks where an attacker deliberately introduces a transient, non-invasive fault into a computing system to alter its intended behavior. The goal is often to bypass security checks, extract sensitive information, or enable privileged operations.

Types of Fault Injection

  • Voltage Glitching: Temporarily reducing or increasing the supply voltage to the target chip. A brief undervoltage can cause a CPU instruction to be skipped or corrupted.
  • Clock Glitching: Manipulating the clock signal to briefly speed up or slow down the CPU, leading to timing violations and instruction skips.
  • Electromagnetic Fault Injection (EMFI): Using focused electromagnetic pulses to induce faults.
  • Laser Fault Injection (LFI): Using precisely aimed laser pulses to induce faults in specific chip regions.

For Android HSM bypass, voltage and clock glitching are commonly explored due to their relative ease of implementation compared to EMFI or LFI, while still requiring significant precision and expertise.

Setting Up the Android HSM Bypass Lab

Performing fault injection requires specialized hardware and meticulous setup. Here’s what you’ll typically need:

Hardware Requirements

  • Target Android Device: An older Android phone or a development board with an accessible TEE, like a Qualcomm Snapdragon or MediaTek SoC. Crucially, the power rails of the TEE or CPU must be physically accessible for soldering.
  • Fault Injection Platform: A device capable of generating precisely timed voltage or clock glitches. Popular choices include the ChipWhisperer platform (e.g., CW305, CWLite) or custom FPGA-based solutions.
  • Programmable DC Power Supply: To provide and control the stable supply voltage to the target device.
  • High-Speed Oscilloscope: Essential for monitoring voltage lines and verifying glitch parameters.
  • Logic Analyzer: Useful for synchronizing glitches with specific events on the device (e.g., GPIO toggles, bus activity).
  • Soldering Station & Magnification: For precise soldering of thin wires to small power rails.
  • Probes & Jumpers: For connecting the glitching hardware.

Software Requirements

  • ADB & Fastboot: For interacting with the Android device.
  • ChipWhisperer Software Suite: If using a ChipWhisperer platform, this provides APIs for controlling the glitching hardware.
  • Disassembler/Decompiler (e.g., Ghidra, IDA Pro): For reverse engineering the Keymaster TA binaries (if available and necessary to pinpoint glitch targets).

Step-by-Step Fault Injection Attack on Keymaster

Preparing the Target Device

The first crucial step is physical preparation. This often involves:

  1. Disassembly: Carefully open the Android device.
  2. Identify Power Rails: Locate the main power rails for the SoC, specifically VDD_CORE or VDD_CPU, or even more granular rails if the TEE has a dedicated one. This often requires referring to datasheets or schematics (if available) or using a multimeter to trace power lines.
  3. Solder Wires: Carefully solder thin enamel-coated wires (e.g., 36 AWG) to the identified power rail and a reliable ground point. These will be connected to your fault injection hardware. Ensure connections are secure and insulated to prevent shorts.
# Example ADB commands for device preparation (assuming bootloader unlocked) 1 adb reboot bootloader 2 fastboot flashing unlock # WARNING: This erases data and voids warranty 3 fastboot reboot

Identifying Critical Keymaster Operations

To perform an effective fault injection attack, you need to target a specific instruction or small sequence of instructions within the Keymaster TA. Common targets include:

  • Key Generation (`keymaster_generate_key`): Bypassing entropy checks or allowing creation of keys with unauthorized properties (e.g., extractable, too short).
  • Key Import (`keymaster_import_key`): Bypassing checks on key format, origin, or properties.
  • Signature Verification (`keymaster_sign`, `keymaster_verify`): Bypassing a crucial integrity check that verifies the authenticity of data or the key itself. This is a common target to force a ‘true’ return value despite an incorrect signature.

Pinpointing these instructions usually involves reverse engineering the Keymaster TA binary (often located in `/vendor/firmware_mnt/image/tee` or similar paths on the normal world, though the actual execution happens in the secure world). Tools like Ghidra or IDA Pro can help analyze the ARM TrustZone OS and the TAs.

The Glitching Strategy: Bypassing Signature Verification

Let’s consider a theoretical scenario: bypassing a signature verification within the Keymaster TA. The TA might perform a critical comparison, like `if (signature_valid == false) return ERROR;`. If we can glitch the CPU at the exact moment this comparison is made or the `return ERROR` instruction is executed, we might force the TA to proceed as if the signature was valid.

Executing a Voltage Glitch

With the target identified and the hardware connected, the attack involves a repetitive, precise execution loop:

  1. Connect Glitching Hardware: Connect the soldered wires from your target device to the glitching platform (e.g., ChipWhisperer shunt resistor or voltage modulator).
  2. Program Glitch Parameters: Set the glitch pulse width (duration, typically tens to hundreds of nanoseconds) and the glitch offset (timing relative to a trigger event). This is the most challenging part, requiring extensive experimentation.
  3. Establish a Trigger: Trigger the Keymaster operation you wish to target from the Normal World. This might be a specific Android API call that invokes the `keymaster_sign` operation. Use a GPIO pin on the target device or monitor power consumption to synchronize the glitch.
  4. Execute Glitching Loop:
# Pseudocode for a voltage glitch loop (ChipWhisperer-like API) import chipwhisperer as cw scope = cw.scope() target = cw.target(scope) # Configure scope for voltage glitching scope.glitch.trigger_src =

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Fault Injection #Hardware Hacking #HSM Bypass #Keymaster

Related Technical Guides

JTAG/eMMC to UFS Transition: New Challenges in Android Hardware Forensic Extraction

May 30, 2026

Beyond JTAG: Extracting & Analyzing Encrypted Data from Android NAND Flash Dumps

May 29, 2026

Bypassing UFS Encryption: Advanced Techniques for Android Data Recovery

May 29, 2026