Android Hardware Reverse Engineering

Reverse Engineering Android PMICs: Uncovering Registers for Targeted Fault Injection Attacks

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Heart of Android Power Management

Power Management Integrated Circuits (PMICs) are the unsung heroes of modern Android devices, orchestrating everything from battery charging and voltage regulation to power sequencing and system sleep states. These complex ICs are critical for device operation, and their robust design is essential for stability. However, their very centrality makes them a prime target for security research, particularly in the realm of hardware fault injection. By understanding and manipulating PMIC registers, attackers can induce transient or persistent faults, potentially bypassing security mechanisms, escalating privileges, or even achieving denial-of-service conditions.

This article delves into the methodologies for reverse engineering Android PMICs to uncover their internal register maps, focusing on techniques that enable targeted power fault injection. We’ll explore software-based analysis of kernel drivers and device trees, and briefly touch upon hardware sniffing, culminating in a discussion of how identified registers can be exploited for security research.

Methodology 1: Software-Based Analysis (Kernel and Device Tree)

Leveraging Kernel Source Code and Device Tree Overlays

The most accessible starting point for PMIC reverse engineering is the Android kernel source code, specifically the device tree source (DTS) files and PMIC drivers. Modern Android devices extensively use the Linux kernel, which includes drivers for various PMICs. These drivers often contain valuable information about the PMIC’s I2C or SPI address, its register layout, and the functions associated with specific registers.

Step-by-Step Kernel Source Exploration:

  1. Identify the PMIC: Often, the PMIC vendor and model (e.g., Qualcomm PM8953, MediaTek MT6357, NXP PCA9450) can be found in the device’s specifications, teardowns, or by searching the device’s kernel configuration.
  2. Locate PMIC Drivers: Navigate to the kernel source directory (e.g., drivers/regulator, drivers/mfd, drivers/power) and search for files related to your identified PMIC. For example, a Qualcomm PMIC might have a driver like drivers/mfd/qcom_pm8xxx.c or similar.
  3. Examine Device Tree Files: The device tree (usually in arch/arm/boot/dts/ or arch/arm64/boot/dts/) describes hardware components. Search for your PMIC’s name or its I2C/SPI address (often 0xXX or 0xYY for common PMICs) within .dts or .dtsi files. These files reveal the PMIC’s I2C address, its regulators’ properties (voltage ranges, operating modes), and often critical register initializations.

Consider this snippet from a hypothetical device tree fragment for a PMIC:

pmic@3c {  compatible = "qcom,pm8350c";  reg = <0x3c>;  #address-cells = <1>;  #size-cells = <0>;  interrupt-parent = <&gpio>;  interrupts = <21 IRQ_TYPE_LEVEL_LOW>;  vreg_l1: LDO1 {    regulator-name = "vdd_core";    regulator-min-microvolt = <800000>;    regulator-max-microvolt = <950000>;    regulator-always-on;    qcom,power-supply-id = <1>;  };  vreg_s1: BUCK1 {    regulator-name = "vdd_gpu";    regulator-min-microvolt = <600000>;    regulator-max-microvolt = <1100000>;    regulator-always-on;    qcom,power-supply-id = <2>;  };};

This example shows the PMIC at I2C address 0x3c, defining two regulators: LDO1 (for VDD_CORE) and BUCK1 (for VDD_GPU), along with their voltage ranges. The PMIC driver would then map these into specific hardware registers.

Extracting Register Information from Drivers:

Within the driver files (e.g., qcom_pm8xxx-regulator.c), look for functions that perform I2C/SPI writes or reads. These functions often use patterns like i2c_smbus_write_byte_data, regmap_write, or similar abstractions. Search for register definitions, often `define` constants or enumerations, which map symbolic names to physical register addresses. For instance, you might find:

#define PMIC_VREG_L1_VOLTAGE_REG 0x1401#define PMIC_VREG_L1_ENABLE_REG 0x1400...static int pm8350c_ldo_set_voltage(struct regulator_dev *rdev, int min_uV, int max_uV){  // ... code to calculate voltage selector value ...  regmap_write(rdev->regmap, PMIC_VREG_L1_VOLTAGE_REG, selector_val);  // ...}

This snippet explicitly reveals the register address 0x1401 controlling LDO1’s voltage. This is gold for fault injection, as directly manipulating this register could starve a critical component like the CPU core.

Methodology 2: Hardware-Based Analysis (Bus Sniffing)

When kernel source is unavailable or obfuscated, hardware bus sniffing becomes crucial. Tools like a logic analyzer or specialized I2C/SPI sniffers can capture communication between the SoC and the PMIC during boot-up or specific operations. By observing the sequences of register writes, especially during power-on reset or when changing power states, you can infer register functions.

Steps for Bus Sniffing:

  1. Identify I2C/SPI Lines: Locate the I2C SCL/SDA or SPI CLK/MISO/MOSI lines connecting the SoC to the PMIC. This often requires device disassembly and tracing.
  2. Attach Logic Analyzer: Connect the probes to the data and clock lines.
  3. Capture Traffic: Boot the device or perform actions that trigger PMIC interactions (e.g., adjusting display brightness, entering sleep mode).
  4. Analyze Captured Data: Use the logic analyzer’s software to decode I2C/SPI packets. Look for patterns of writes to specific addresses. Correlate these writes with observed system behavior (e.g., a specific voltage rail turning on/off, or a device crashing).

This method requires patience and a good understanding of the device’s boot process, but it can yield results even without any software documentation.

Targeted Fault Injection through Register Manipulation

Once PMIC registers are identified, the next step is to manipulate them to induce faults. The goal is often to momentarily undervolt, overvolt, or abruptly cut power to a critical component, thereby causing a computational error without permanent damage.

Techniques for Register Manipulation:

  1. Custom Kernel Module: If you have root access and can load kernel modules, you can write a simple module to directly interact with the PMIC via the kernel’s regmap interface or raw I2C/SPI drivers.
  2. User-space I2C Tools: On rooted devices, you might use i2c-tools (i2cset, i2cget) to directly read/write PMIC registers, assuming the kernel exposes the I2C bus via /dev/i2c-X.
  3. Hardware Interface: For more precise, transient faults, direct hardware intervention might be necessary. This could involve using a microcontroller (e.g., Arduino, Raspberry Pi) to send I2C/SPI commands directly to the PMIC during operation, or even physically injecting glitches onto power rails based on register-identified voltage levels.

Example: Inducing a Fault on VDD_CORE

Let’s assume we identified PMIC_VREG_L1_VOLTAGE_REG (0x1401) as controlling vdd_core. A normal operation might set it to a value representing 900mV. To induce a fault, we could momentarily drop this voltage to, say, 500mV.

# Assume i2c-1 is the bus connected to the PMIC# PMIC I2C address is 0x3c# Register to modify is 0x1401 (PMIC_VREG_L1_VOLTAGE_REG)# Original voltage value (e.g., 900mV encoded as 0x5A)# Faulty voltage value (e.g., 500mV encoded as 0x20)echo 1401 5A > /sys/kernel/debug/i2c-1/3c/regs // Read/Write interface or using i2cset# Read current value (optional for verification)i2cget -y 1 0x3c 0x1401# Write a low voltage value to induce faulti2cset -y 1 0x3c 0x1401 0x20# Quickly restore to original value (for transient fault)sleep 0.001 # A very short delayi2cset -y 1 0x3c 0x1401 0x5A

This sequence, executed rapidly, could cause a transient undervoltage condition on the CPU core, potentially leading to incorrect computations, skipped instructions, or data corruption – all desirable outcomes for fault injection research.

Challenges and Ethical Considerations

Reverse engineering PMICs is challenging due to complex architectures, proprietary documentation, and potential obfuscation. There’s also a significant risk of permanently damaging the device. Furthermore, engaging in such research requires a strong ethical compass. Fault injection techniques, while powerful for security research and improving device resilience, can also be misused. Always ensure your activities are conducted on your own hardware, with appropriate permissions, and within legal and ethical boundaries.

Conclusion

Reverse engineering Android PMICs provides an unparalleled understanding of a device’s lowest-level power management. By diligently analyzing kernel source, device trees, and even physical bus communications, researchers can uncover the hidden register maps that control critical power rails. This knowledge is invaluable for targeted fault injection attacks, opening new avenues for discovering hardware vulnerabilities and enhancing the overall security posture of Android devices. As hardware security continues to evolve, the ability to dissect and manipulate these fundamental components will remain a crucial skill for security professionals.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Embedded Systems #Fault Injection #Hardware Reverse Engineering #PMIC

Related Technical Guides

Data Recovery from Bricked Android Phones: Forensic Imaging via Qualcomm EDL Mode

May 29, 2026

Reverse Engineering Android Boards: A Hands-On Lab for Identifying and Activating UART Pins

May 30, 2026

From Zero to Secure World Shell: Exploiting a TrustZone TA Logic Bug Step-by-Step

May 29, 2026