Android Hardware Reverse Engineering

Reverse Engineering Android TrustZone: Hunting Crypto Keys with EM-Field Signatures

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking the Secure World’s Secrets

Android’s security architecture relies heavily on ARM TrustZone, a hardware-enforced isolation mechanism that creates a ‘Secure World’ alongside the ‘Normal World’ where the Android OS runs. This Secure World, typically implemented as a Trusted Execution Environment (TEE), safeguards critical operations like secure boot, digital rights management (DRM), and cryptographic key storage. While TrustZone is designed to be impervious to software-based attacks from the Normal World, its physical implementation is not immune to all forms of scrutiny. This article delves into the advanced technique of Electromagnetic (EM) field analysis to reverse engineer TrustZone implementations and, specifically, to hunt for cryptographic keys by analyzing their unique EM signatures.

EM-field analysis is a powerful side-channel attack method that exploits unintended information leakage through the electromagnetic radiation emitted by electronic devices during operation. Cryptographic algorithms, in particular, are susceptible because their operations involve varying power consumption patterns, which translate into measurable EM emissions. By meticulously analyzing these emissions, it’s possible to infer sensitive data, including secret keys, that are otherwise protected within the Secure World.

Understanding Android TrustZone Architecture

ARM TrustZone technology divides a system-on-chip (SoC) into two virtual worlds: the Normal World and the Secure World. The Normal World hosts the rich operating system (e.g., Android), while the Secure World runs a smaller, more secure Trusted OS (T-OS) which handles sensitive operations. Key aspects include:

  • Hardware Isolation: The CPU, memory, and peripherals are partitioned by hardware, preventing direct access from the Normal World to Secure World resources.
  • Secure Boot: Ensures only authenticated code runs in the TEE from boot-up.
  • Key Provisioning & Storage: Cryptographic keys are generated and stored exclusively within the TEE, inaccessible to Android.
  • Trusted Applications (TAs): Small, isolated applications running in the TEE, offering specific secure services (e.g., fingerprint authentication, DRM content decryption).

The inherent design makes traditional debugging and software exploitation of the TEE extremely difficult, if not impossible, from the Normal World. This is where physical side-channel attacks, like EM-field analysis, come into play as a last resort for an attacker or a crucial tool for security researchers.

The Theory of EM-Field Side Channels

Every electronic operation, especially digital switching within a CPU, involves transient current flows. These current fluctuations generate electromagnetic waves that radiate from the device. Cryptographic algorithms are characterized by highly structured, iterative operations that process data bit by bit or byte by byte. As these operations manipulate secret key material, the intermediate computational values directly influence the instantaneous current draw and, consequently, the EM radiation pattern.

For instance, an XOR operation involving a key byte and a plaintext byte will result in a different current draw depending on the Hamming weight (number of ‘1’ bits) of the intermediate result. Modern EM probes can detect these minute differences, providing a ‘signature’ for each operation. By correlating these signatures across many identical operations (e.g., encrypting different plaintexts with the same key), an attacker can statistically deduce the secret key bits.

Hardware Setup for EM-Field Acquisition

Extracting meaningful EM data requires a precise and sophisticated hardware setup:

  1. Target Device Preparation

    An Android device with its SoC exposed. This often involves carefully decapsulating the SoC package to get closer to the silicon, or at least removing shielding cans. The target cryptographic operation within TrustZone must be triggered repeatedly. This might involve:

    • Running a specific Android application that invokes a TEE service (e.g., playing DRM-protected content, using secure storage APIs).
    • Developing a custom TEE application (if TEE development environment is accessible) to control the cryptographic operation directly.

  2. EM Probe & Positioning System

    A high-bandwidth near-field EM probe (e.g., Langer RF-R 0.3-3, Tektronix P6019) is essential. Near-field probes localize the measurement to a very small area. The probe must be mounted on a high-precision XYZ positioning stage (e.g., with micron-level resolution) to accurately scan the SoC surface.

  3. Oscilloscope & Pre-amplifier

    A high-sampling rate digital storage oscilloscope (DSO) (e.g., Keysight Infiniium, Picoscope 6000 series with several GS/s) is used to capture the analog EM signals. A low-noise RF pre-amplifier may be necessary to boost the weak signals before reaching the DSO, ensuring a good signal-to-noise ratio.

  4. Triggering & Synchronization

    Accurate synchronization between the cryptographic operation on the target and the EM acquisition on the oscilloscope is paramount. This can be achieved via:

    • A GPIO pin from the target SoC, if accessible, configured to toggle at the start of the crypto operation.
    • Software-controlled timing, though less precise, by observing predictable patterns in the EM traces.

  5. Shielded Environment

    The entire setup should ideally be placed in a Faraday cage or a shielded room to minimize external electromagnetic interference from Wi-Fi, cellular networks, and other electronic devices.

Methodology: Hunting for Crypto Keys

Step 1: Target Identification and Characterization

Identify the specific TEE function responsible for the cryptographic operation of interest (e.g., AES encryption, key derivation). Analyze the TEE binary (if available through other means) to understand the algorithm’s structure. Trigger the target operation repeatedly with varying inputs (e.g., known plaintexts for an encryption function) to generate differential EM traces. Each trace must correspond to a unique input but the same key.

Step 2: Data Acquisition

Using the XYZ stage, systematically scan the SoC surface with the EM probe. For each position, collect hundreds or thousands of EM traces while the target cryptographic operation is executing. Focus on areas suspected to contain the cryptographic module, such as the CPU core or dedicated crypto accelerators. The oscilloscope captures these transient signals, which are then digitized and stored.

# Conceptual shell command to trigger an operation 1000 times (example for a DRM test) 1. adb shell

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Cryptography #EM-Field Analysis #Side-channel Attacks #TrustZone

Related Technical Guides

Case Study: Bypassing Verified Boot and TrustZone with Voltage Glitching on a Modern Android Smartphone

May 29, 2026

Case Study: Secure Boot Bypass on Qualcomm Snapdragon Devices – A Full Walkthrough of Exploitation

May 30, 2026

Hands-On Lab: Exploiting Bootloader Weaknesses for Samsung SBOOT Bypass

May 29, 2026