Android Hardware Reverse Engineering

Qualcomm QSEE Deep Dive: Your Guide to Snapdragon TrustZone Firmware Extraction

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Qualcomm QSEE and TrustZone

The security of modern mobile devices, particularly those powered by Qualcomm Snapdragon SoCs, heavily relies on a component known as the Qualcomm Secure Execution Environment (QSEE). QSEE is Qualcomm’s implementation of ARM’s TrustZone technology, a hardware-enforced isolation mechanism that creates two distinct execution environments: the Normal World and the Secure World. While the Normal World hosts the traditional operating system (like Android), the Secure World runs a lightweight, purpose-built operating system, often referred to as the TrustZone OS (TZOS) or Secure OS. This Secure World is designed to handle critical operations such as secure boot, digital rights management (DRM), biometric authentication, secure storage, and cryptographic key management, making it a lucrative target for security researchers.

Understanding and analyzing the TZOS firmware is paramount for identifying potential vulnerabilities that could compromise the entire device’s security. This deep dive will guide you through the intricacies of Snapdragon TrustZone architecture and provide practical steps for extracting its firmware, primarily focusing on software-based methods via Emergency Download (EDL) mode.

Why Extract TrustZone OS Firmware?

Extracting the TZOS firmware is a foundational step for advanced security research, vulnerability discovery, and reverse engineering. By gaining access to the raw firmware image, researchers can:

  • Identify Vulnerabilities: Analyze the code for logic flaws, buffer overflows, or cryptographic weaknesses that could be exploited to bypass security features.
  • Understand Secure Boot Chains: Decipher how the device verifies the integrity of bootloaders and the operating system.
  • Reverse Engineer TEE Applications (Trustlets/TA): Study the proprietary applications running in the Secure World to understand their functions and interactions with the Normal World.
  • Develop Exploits: Create proof-of-concept exploits to demonstrate the impact of discovered vulnerabilities.
  • Enhance Device Security: Provide crucial insights to manufacturers for patching vulnerabilities and improving overall device security posture.

Snapdragon TrustZone Architecture Overview

ARM TrustZone technology partitions the SoC into two worlds. The CPU, memory, and peripherals can be switched between these two states via a hardware register, ensuring that code running in the Secure World cannot be interfered with by processes in the Normal World. Communication between the two worlds is strictly controlled through Secure Monitor Calls (SMC). When Android (Normal World) needs a secure service, it makes an SMC call, which triggers a context switch to the Secure World, where the TZOS handles the request.

On Snapdragon devices, the TZOS firmware is typically stored in a dedicated partition, often named tz or similar, within the eMMC/UFS storage. This firmware, along with its associated applications (trustlets), forms the backbone of the device’s Trusted Execution Environment (TEE). The boot process is designed to ensure that the TZOS is verified and loaded before the Normal World OS, establishing a chain of trust.

Methods for TZOS Firmware Extraction

There are generally two categories of methods for extracting firmware from embedded devices:

Software-Based Extraction

This approach leverages software mechanisms or vulnerabilities to read firmware directly from the device’s internal storage without physical desoldering. Common methods include:

  • Emergency Download (EDL) Mode: A Qualcomm-specific boot mode designed for low-level flashing and recovery. It’s often the most accessible method for dumping partitions, even on locked devices, given the right programmer.
  • Exploiting Vulnerable Bootloaders/Kernels: If a vulnerability exists in the device’s bootloader or kernel, it might be possible to gain read access to internal partitions.
  • System Dumps from Rooted Devices: While a rooted device can typically access many partitions, some highly secured partitions like tz might still be protected by the kernel or TrustZone itself.

Hardware-Based Extraction

These methods involve physical manipulation of the device or its components:

  • Chip-Off Forensics: Desoldering the eMMC/UFS chip from the PCB and directly reading its contents using a specialized reader. This provides a complete dump but is destructive to the device.
  • JTAG/SWD Debug Interfaces: If debug ports like JTAG or SWD are enabled, they can provide low-level access to memory and CPU registers, potentially allowing firmware extraction. However, these are typically disabled on production devices.

Step-by-Step Guide: Extracting TZOS via EDL Mode

EDL mode is a powerful feature on Qualcomm devices, allowing interaction with the device even when it’s seemingly bricked. It uses a proprietary protocol (often called ‘Firehose’) to communicate with a programmer firmware running on the device’s SoC. This guide focuses on using qdl, a common Python-based tool for interacting with Qualcomm devices in EDL mode.

Prerequisites

  • Qualcomm USB Drivers: Install the necessary drivers on your Windows or Linux machine for the device to be recognized in EDL mode (usually as ‘Qualcomm HS-USB QDLoader 9008’).
  • qdl Tool: A Python script (or similar utility) that implements the Firehose protocol. You can find several implementations on GitHub, e.g., github.com/bkerler/qdl.
  • Firehose Programmer: A device-specific programmer file (e.g., prog_emmc_firehose_XXXX_ddr.mbn or prog_ufs_firehose_XXXX_ddr.mbn). This file is crucial as it’s loaded onto the device’s RAM by the EDL bootrom to handle storage operations. These can often be found in stock firmware packages or online forums.
  • Python 3: With required libraries (e.g., pyserial).

1. Entering EDL Mode

This is often the trickiest part, as manufacturers try to restrict access:

  • adb reboot edl: On some older or development devices, this command might work directly from Android.
  • fastboot oem edl: If the bootloader is unlocked, some devices allow entering EDL via a Fastboot command.
  • Physical Test Point: The most common and reliable method. This involves shorting specific pins on the PCB while connecting the device to a PC. Search online forums (e.g., XDA Developers) for your specific device model’s EDL test points. This usually requires disassembling the device.
  • EDL Cable: Some custom USB cables are designed to force EDL mode upon connection.

Once in EDL mode, your device should appear in Device Manager (Windows) or lsusb (Linux) as a Qualcomm HS-USB QDLoader 9008 device.

2. Identifying and Using the Firehose Programmer

The Firehose programmer is specific to the SoC and storage type (eMMC/UFS). Ensure you have the correct .mbn file for your device’s Snapdragon model.

First, identify the correct COM port:

# On Windows, check Device Manager for 'Qualcomm HS-USB QDLoader 9008 (COMx)'# On Linux, use dmesg after connecting to see the ttyUSB device:dmesg | grep ttyUSB

Let’s assume the COM port is COM3 (or /dev/ttyUSB0 on Linux).

3. Dumping the TZ Partition

Using the qdl tool, you can now interact with the device. First, it’s good practice to get the partition table:

python qdl.py --port COM3 --loader prog_emmc_firehose_xxxx.mbn --getpartitiontable

This command will list all partitions on the device, including their names, sizes, and block numbers. Look for the partition named tz (or similar, like hyp for hypervisor or other secure partitions).

Once you’ve identified the tz partition, you can dump its contents:

python qdl.py --port COM3 --loader prog_emmc_firehose_xxxx.mbn --read_partition tz tz.bin

Replace prog_emmc_firehose_xxxx.mbn with your specific programmer file and COM3 with your device’s COM port. The command will read the entire tz partition and save it as tz.bin in your current directory.

Analyzing the Extracted Firmware

With tz.bin in hand, you can begin the reverse engineering process:

Initial Triage

  • Binwalk: Use binwalk -e tz.bin to identify embedded file systems, compression, and other known file types within the firmware. This can help you extract components like trustlets.
  • Strings: Run strings tz.bin | grep

    Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #EDL Mode #Firmware Extraction #Qualcomm #Reverse Engineering #TrustZone

Related Technical Guides

From Debug Port to Root: A Comprehensive Guide to Android USB Exploitation Pathways

May 30, 2026

Qualcomm EDL Auth Bypass: Flashing Unsigned Firmware and Custom Images

May 30, 2026

Forensic Analysis of Exynos S-Boot: Detecting Tampering & Unauthorized Modifications

May 29, 2026