Android Hardware Reverse Engineering

Open-Source Tools for TZOS Extraction: A Practical Workflow on Android Devices

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Enigma of TrustZone OS

The Android ecosystem relies heavily on hardware-backed security features, chief among them being ARM TrustZone. TrustZone provides a hardware-isolated environment known as the Trusted Execution Environment (TEE), which runs a dedicated operating system, often referred to as the TrustZone OS (TZOS) or TEE OS. This secure realm handles critical operations like cryptographic key storage, secure boot verification, DRM, and biometric authentication, making it a prime target for security researchers and reverse engineers.

Extracting the TZOS firmware is a foundational step in understanding its inner workings, identifying potential vulnerabilities, and verifying security claims. However, due to its critical security role, TZOS is heavily protected by secure boot mechanisms, memory access restrictions, and other hardware protections, making its extraction a challenging endeavor.

Prerequisites and Initial Reconnaissance

Before diving into the extraction process, a solid understanding of several key areas is essential, along with a thorough initial reconnaissance:

  • Linux Fundamentals: Proficiency in Linux command-line tools is crucial for analysis and tool execution.
  • Basic Hardware Knowledge: Familiarity with mobile device components, soldering, and digital electronics.
  • Reverse Engineering Basics: Understanding assembly language (ARM/ARM64), firmware structures, and debugging concepts.
  • Target Device Identification: Precisely identify the device model, its System-on-Chip (SoC) manufacturer (Qualcomm, MediaTek, Samsung Exynos, etc.), and the Android version. This dictates the specific tools and methods applicable.
  • Bootloader Status: Determine if the device’s bootloader is locked or unlockable. An unlocked bootloader can sometimes simplify access.
  • Available Exploits: Research any known vulnerabilities for the target SoC or bootloader that might allow privileged access (e.g., Qualcomm EDL mode exploits, MediaTek Preloader exploits).

Methods for TZOS Extraction

1. Software-Based Exploits (Highly Specific and Rare)

Software-based extraction relies on leveraging vulnerabilities in the device’s bootloader, kernel, or other privileged components to gain control sufficient to dump memory regions or specific partitions. These methods are typically device- and version-specific, require significant expertise, and are quickly patched by vendors.

  • Bootloader Vulnerabilities: Exploits that allow arbitrary code execution during the boot process, enabling researchers to dump partitions before the full secure boot chain is established.
  • Pre-loader Attacks: For certain SoCs (e.g., Qualcomm’s Emergency Download (EDL) mode or MediaTek’s Preloader), specific test modes can sometimes be abused to gain read/write access to the eMMC/UFS flash, bypassing Android’s normal security.

While powerful, these methods are not a general-purpose solution for TZOS extraction across various devices.

2. Hardware-Assisted Dumps (More Reliable and General)

For a more reliable and universal approach, hardware-assisted dumping methods are often employed. These techniques bypass software protections by directly interacting with the storage chip or other debug interfaces.

  • JTAG/UART: Joint Test Action Group (JTAG) and Universal Asynchronous Receiver-Transmitter (UART) ports are debug interfaces that can provide low-level access to the SoC. Locating and utilizing these test points often requires schematics or meticulous board analysis. Once connected, tools like OpenOCD can be used to halt the CPU and dump memory or flash contents.
  • eMMC/UFS Direct Chip-Off: This involves desoldering the eMMC (embedded MultiMediaCard) or UFS (Universal Flash Storage) chip from the device’s PCB and reading its contents using a dedicated eMMC/UFS programmer. This is a destructive method but guarantees a full dump.
  • In-System Programming (ISP) through Test Points: A non-destructive alternative to chip-off. ISP involves soldering thin wires directly to specific data, clock, and command pins on the eMMC/UFS chip or its test points on the PCB. These wires are then connected to an eMMC/UFS programmer (e.g., UFI Box, Easy JTAG Plus, Medusa Pro Box), allowing in-circuit access to the flash memory. This is often the most practical hardware method for full dumps.

A Practical Workflow: eMMC/UFS ISP Dumping

This section outlines a practical, widely applicable workflow focusing on the ISP method, as it balances reliability with being non-destructive to the chip itself.

Step 1: Device Disassembly and Test Point Identification

Carefully disassemble the Android device. Once the mainboard is exposed, locate the eMMC or UFS chip. These are typically large, square BGA packages near the SoC. The next critical step is to identify the ISP test points:

  • CMD: Command line
  • CLK: Clock line
  • DAT0 (or DATA0): Data line 0 (often the primary data line for communication)
  • GND: Ground
  • VCC: Core voltage for the eMMC/UFS
  • VCCQ: I/O voltage for the eMMC/UFS

These points can sometimes be found on publicly available schematics or boardviews. Otherwise, a multimeter in continuity mode and careful tracing from the chip’s pins may be required to find accessible test pads.

Step 2: Soldering and Connection to Programmer

With test points identified, carefully solder thin, insulated wires (e.g., AWG 30 kynar wire) to each of the ISP points. Connect these wires to your chosen eMMC/UFS programmer. Ensure clean, strong solder joints to prevent intermittent connections during the dump process.

      +-----------------------+           +----------------------+         +--------------------+  
      |   Android Mainboard   |           |    eMMC/UFS Chip     |         |    eMMC Programmer |  
      |                       |           |                      |         |                    |  
      |    .--ISP Test Point--+-----------+--eMMC/UFS Pin (CMD)--|---------| Programmer Pin CMD |  
      |    |                  |           |                      |         |                    |  
      |    .--ISP Test Point--+-----------+--eMMC/UFS Pin (CLK)--|---------| Programmer Pin CLK |  
      |    |                  |           |                      |         |                    |  
      |    .--ISP Test Point--+-----------+--eMMC/UFS Pin (DAT0)-|---------| Programmer Pin DAT0|  
      |    |                  |           |                      |         |                    |  
      |    .--ISP Test Point--+-----------+--eMMC/UFS Pin (GND)--|---------| Programmer Pin GND |  
      |    |                  |           |                      |         |                    |  
      +-----------------------+           +----------------------+         +--------------------+

Step 3: Dumping the Full eMMC/UFS

Power on your eMMC/UFS programmer and launch its accompanying software (e.g., UFI Android ToolBox, EasyJTAG Plus Software). Configure the software to detect the eMMC/UFS chip. Once detected, initiate a

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Firmware Extraction #Hardware Reverse Engineering #TrustZone #TZOS

Related Technical Guides

The Ultimate Guide to Android NAND Flash Chip-Off Data Recovery: A Step-by-Step Lab

May 29, 2026

Unmasking Mediatek BROM: Advanced Fuzzing Techniques for New Vulnerability Identification

May 30, 2026

From USB to Bootloader: Tracing Samsung ODIN Mode’s Hardware Interaction Pathway

May 30, 2026