Android Hardware Reverse Engineering

From Zero to Hero: Extracting TrustZone OS Binaries via JTAG/SWD on Android

By Antigravity Research Published May 30, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to ARM TrustZone and Secure Boot

ARM TrustZone is a system-wide security extension present in many modern ARM-based System-on-Chips (SoCs), including those found in Android devices. It creates two distinct execution environments: the Normal World and the Secure World. The Normal World, where Android and its applications run, has limited privileges. The Secure World, on the other hand, hosts sensitive components like the TrustZone Operating System (TZOS), secure bootloaders, DRM engines, and cryptographic libraries. This architectural separation ensures that even if the Normal World is compromised, critical assets and operations in the Secure World remain protected.

Secure Boot is a crucial technology often built upon TrustZone. It ensures that only authenticated and authorized software can run on the device, starting from the very first stages of boot-up. Each stage of the bootloader verifies the integrity and authenticity of the next stage before handing over control. This chain of trust extends to the TrustZone OS, making it a highly protected environment.

Why JTAG/SWD for TrustZone OS Binary Extraction?

Extracting TrustZone OS binaries is a significant step in understanding the device’s secure posture, identifying vulnerabilities, or performing forensic analysis. Traditional methods of accessing the Android filesystem are insufficient because the TrustZone OS operates in a separate, isolated environment, and its binaries are not directly exposed to the Normal World. This is where hardware debug interfaces like Joint Test Action Group (JTAG) and Serial Wire Debug (SWD) become indispensable.

JTAG/SWD provides direct access to the CPU’s core, memory, and peripherals, bypassing many software-level protections. If debug access is enabled, it can allow an attacker or researcher to halt the CPU, inspect memory contents, set breakpoints, and even modify registers. This low-level access is the primary vector for extracting the secure world’s code and data.

Challenges and Prerequisites

  • Hardware Access: Physical access to the device and its internal PCB is mandatory.
  • JTAG/SWD Pins: Identifying the test points (TDI, TDO, TCK, TMS for JTAG; SWDIO, SWCLK for SWD) on the PCB. These are often small, unpopulated pads.
  • Debug Fuses: Many production devices have JTAG/SWD debug capabilities permanently disabled by blowing eFuses during manufacturing. Successful extraction often depends on finding devices where these fuses are not blown or where a bypass technique is viable (e.g., voltage glitching, fault injection, or specific boot modes). This tutorial assumes JTAG/SWD is accessible, at least in a limited capacity.
  • Memory Protections: Even with JTAG/SWD access, the Secure World memory regions might be protected by Memory Protection Units (MPUs) or other access control mechanisms configured by the TZOS itself. Overcoming these often requires deeper understanding of the specific SoC’s security architecture.

Hardware Setup and Pin Identification

To begin, you’ll need the following:

  • Target Device: An Android device with an exposed PCB.
  • JTAG/SWD Debugger: Tools like J-Link, ST-Link, or a compatible OpenOCD-supported debugger (e.g., Bus Pirate, FT2232H-based adapters).
  • Probes/Wires: Fine-tipped probes or thin wires for soldering to test points.
  • Multimeter/Oscilloscope: For identifying pins.
  • Soldering Iron: For connecting wires to test points.

Identifying JTAG/SWD Test Points

Locating JTAG/SWD pads is often the most challenging physical step. Here’s a common approach:

  1. Visual Inspection: Look for clusters of small, unpopulated pads (often 4-5 for JTAG, 2 for SWD) near the SoC. They might be labeled `JTAG`, `TP`, or similar.
  2. Continuity Check: Use a multimeter in continuity mode. The `GND` pin is usually easy to find. The `VDD` or `VTREF` pin will connect to the core voltage supply.
  3. Oscilloscope/Logic Analyzer: During boot, these pins might show activity. `TCK` (JTAG Clock) or `SWCLK` (SWD Clock) will typically show a clock signal. `TMS`/`SWDIO` will show data signals.
  4. Reverse Engineering Schematics/Boards: If available, looking for leaked schematics or high-resolution board photos can pinpoint the exact locations.

Connecting the Debugger and OpenOCD Configuration

Once identified, carefully solder wires from the debugger to the corresponding test points on the target device. A typical JTAG connection would involve: `TDI`, `TDO`, `TCK`, `TMS`, `nRST` (optional but recommended), and `GND`. For SWD, you’ll need `SWDIO`, `SWCLK`, and `GND`.

Example OpenOCD Configuration

OpenOCD (Open On-Chip Debugger) is a widely used tool for interacting with JTAG/SWD. You’ll need a configuration file (`.cfg`) tailored to your debugger and target CPU. This example assumes an FT2232H-based adapter and a generic ARM Cortex-A CPU:

# ft2232h.cfg - Adapter configuration for FT2232H based debugger

interface ftdi

ftdi_device_desc

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Embedded Security #JTAG #Reverse Engineering #TrustZone

Related Technical Guides

Real-World Case Study: Dissecting an Android Device’s WiFi/BT Firmware via SPI Flash Dump

May 30, 2026

Demystifying TZOS Firmware Extraction on Qualcomm Platforms: A Practical Guide

May 29, 2026

DIY Android SoC Decapping: A Practical Guide to Exposing the Silicon Die

May 29, 2026