Android Hardware Reverse Engineering

The Ultimate Guide to TrustZone OS Firmware Extraction using JTAG/UART

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unveiling TrustZone OS and Its Importance

ARM TrustZone technology is a system-wide approach to security built into modern ARM processors, creating two execution environments: the Normal World and the Secure World. The Secure World hosts the TrustZone Operating System (TZOS), which manages sensitive operations such as digital rights management (DRM), biometric authentication, secure key storage, and secure boot. Extracting the TZOS firmware is a critical step for security researchers and reverse engineers aiming to uncover vulnerabilities, understand proprietary security implementations, or analyze trusted applications (TAs). This guide provides an expert-level walkthrough on how to approach TZOS firmware extraction using JTAG and UART interfaces.

Prerequisites: Essential Tools and Skills

Before diving into the extraction process, ensure you have the necessary hardware, software, and fundamental skills.

Hardware Requirements:

  • Target Device: An Android smartphone, IoT device, or any embedded system utilizing ARM TrustZone.
  • JTAG Debugger: OpenOCD-compatible debuggers like Bus Blaster, J-Link, ST-Link, or Segger J-Trace.
  • UART-to-USB Adapter: For serial communication (e.g., FT232R, CP2102 based adapters).
  • Soldering Equipment: Fine-tip soldering iron, solder wire, flux, desoldering braid.
  • Multimeter: For continuity testing and voltage verification.
  • Probes/Wires: Fine gauge wires, pogo pins (for non-destructive connections).

Software Requirements:

  • OpenOCD: Open On-Chip Debugger for JTAG interaction.
  • GDB: GNU Debugger for interacting with the target via OpenOCD.
  • IDA Pro or Ghidra: For disassembling and analyzing the extracted firmware.
  • Logic Analyzer/Oscilloscope (Optional): Useful for identifying unknown signals.

Required Skills:

  • Basic hardware hacking (soldering, identifying components).
  • Understanding of ARM architecture (registers, exception levels, memory management).
  • Familiarity with assembly language (ARM32/ARM64).
  • Reverse engineering fundamentals.

Step 1: Locating JTAG/UART Ports on Your Target

The first hurdle is always physical access. JTAG (Joint Test Action Group) and UART (Universal Asynchronous Receiver-Transmitter) interfaces are often exposed as unpopulated headers, test pads, or even reused GPIOs.

Methods for Pin Identification:

  1. Visual Inspection: Look for clusters of test points or unpopulated header footprints. JTAG usually has 4-5 core signals (TDI, TDO, TMS, TCK, TRST), plus GND and VCC. UART typically has TX, RX, and GND.
  2. Datasheet/Schematic Analysis: If available, datasheets for the main SoC or board schematics are invaluable.
  3. Continuity Testing: With a multimeter in continuity mode, probe potential JTAG/UART pads. Look for connections to known SoC pins (if pinouts are available) or traces leading to the SoC.
  4. Trial and Error with Logic Analyzer: For unknown pins, a logic analyzer can help identify common serial patterns (UART activity) or JTAG clock/data lines.

Common JTAG pinouts include ARM’s 20-pin, MIPS 14-pin, or smaller 10-pin/6-pin interfaces. UART TX/RX lines often show activity during boot, making them easier to spot.

Step 2: Connecting Your Debugger to the Target

Once identified, the pins need to be connected to your JTAG debugger and UART adapter. This usually involves careful soldering of fine wires to the pads or using pogo pins if you want a non-destructive, repeatable setup.

Connection Guidelines:

  • Voltage Levels: Verify the target’s I/O voltage (e.g., 1.8V, 3.3V) using a multimeter. Ensure your debugger and UART adapter support these levels or use a logic level shifter.
  • JTAG Wiring: Connect TDI, TDO, TMS, TCK, TRST (if used), VCC (target reference voltage), and GND to your JTAG debugger.
  • UART Wiring: Connect target’s TX to adapter’s RX, target’s RX to adapter’s TX, and common GND.

Always double-check your connections before powering on to prevent damage.

Step 3: Setting Up Your Software Environment with OpenOCD and GDB

OpenOCD acts as the bridge between your JTAG debugger and GDB. It requires a configuration file specific to your debugger and target CPU.

Example OpenOCD Configuration (openocd.cfg):

This snippet assumes an STM32-based target with an ARM Cortex-A core, adapted for general ARM JTAG use. You’ll need to adjust `source [find interface/…]` and `source [find target/…]` for your specific hardware.

# Choose your interface (e.g., jlink, buspirate, ftdi)source [find interface/jlink.cfg]# Set JTAG speed (adjust as needed for stability)adapter_khz 10000# Target specific configuration (e.g., arm cortex-a)set _CHIPNAME armtarget create $_CHIPNAME arm -endian little -fast_memory_access -ap-id 0 -coreid 0$_CHIPNAME configure -event gdb-attach {echo

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Firmware Extraction #JTAG #Reverse Engineering #TrustZone

Related Technical Guides

Direct eMMC/UFS Programming: Bypass Android Bootloader Locks with Chip-Off Data Access

May 29, 2026

DIY Android I2C Sniffer: Building a Low-Cost Hardware Setup for Sensor RE

May 30, 2026

Firmware Hacking: Disabling Android Secure Boot Through Direct SPI/NAND Flash Manipulation

May 30, 2026