{"id":13764297,"url":"https://github.com/enovella/TEE-reversing","last_synced_at":"2025-05-10T19:31:15.251Z","repository":{"id":37431751,"uuid":"161059470","full_name":"enovella/TEE-reversing","owner":"enovella","description":" A curated list of public TEE resources for learning how to reverse-engineer and achieve trusted code execution on ARM devices","archived":false,"fork":false,"pushed_at":"2024-07-08T09:56:27.000Z","size":21908,"stargazers_count":886,"open_issues_count":0,"forks_count":101,"subscribers_count":48,"default_branch":"master","last_synced_at":"2024-11-12T03:02:05.556Z","etag":null,"topics":["android","arm-trustzone","tee","trusted-execution-environment","trustzone","trustzone-kernel"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/enovella.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-12-09T16:36:09.000Z","updated_at":"2024-11-05T02:47:28.000Z","dependencies_parsed_at":"2023-01-19T05:46:04.499Z","dependency_job_id":"6d11241e-04d0-4ac9-aacc-639987e8437f","html_url":"https://github.com/enovella/TEE-reversing","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enovella%2FTEE-reversing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enovella%2FTEE-reversing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enovella%2FTEE-reversing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/enovella%2FTEE-reversing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/enovella","download_url":"https://codeload.github.com/enovella/TEE-reversing/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224986006,"owners_count":17402934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","arm-trustzone","tee","trusted-execution-environment","trustzone","trustzone-kernel"],"created_at":"2024-08-03T16:00:18.477Z","updated_at":"2025-05-10T19:31:15.194Z","avatar_url":"https://github.com/enovella.png","language":null,"funding_links":[],"categories":["Research and Community","Resources","Awesome Lists"],"sub_categories":["TrustZone and TEE Research","Misc Tools"],"readme":"# TEE Basics \u0026 General\n\n- Introduction to Trusted Execution Environment: ARM's TrustZone\n\t- https://blog.quarkslab.com/introduction-to-trusted-execution-environment-arms-trustzone.html\n\n- Introduction to TEE (original title: TEEを中心とするCPUセキュリティ機能の動向 )\n\t- https://seminar-materials.iijlab.net/iijlab-seminar/iijlab-seminar-20181120.pdf\n\n- Attacking the ARM's TrustZone\n\t- https://blog.quarkslab.com/attacking-the-arms-trustzone.html\n\n- ARM TrustZone Security Whitepaper\n\t- http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf\n\n- Web Site ARM TrustZone\n\t- https://developer.arm.com/ip-products/security-ip/trustzone\n\n- TrustZone Explained: Architectural Features and Use Cases\n\t- http://sefcom.asu.edu/publications/trustzone-explained-cic2016.pdf\n\n- Trustworthy Execution on Mobile Devices\n\t- https://netsec.ethz.ch/publications/papers/paper-hyperphone-TRUST-2012.pdf\n\n- Demystifying ARM Trustzone : A Comprehensive Survey\n\t- https://www.researchgate.net/profile/Nuno_Santos9/publication/330696364_Demystifying_Arm_TrustZone_A_Comprehensive_Survey/links/5c6ff1a792851c6950379cdd/Demystifying-Arm-TrustZone-A-Comprehensive-Survey.pdf\n\n- Understanding Trusted Execution Environments and Arm TrustZone (by Azeria)\n\t- https://azeria-labs.com/trusted-execution-environments-tee-and-trustzone/\n\n- SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems\n\t- https://www.cs.purdue.edu/homes/pfonseca/papers/sp2020-tees.pdf\n\n- Giving Mobile Security the Boot (by Jonathan Levin)\n\t- https://papers.put.as/papers/ios/2016/TrustZone.pdf\n\n- The ARMs race to TrustZone (by Jonathan Levin)\n\t- http://technologeeks.com/files/TZ.pdf\n\n# TEE Exploits/Security Analysis\n\n## HiSilicon/Huawei (TrustedCore)\n\n- Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme)\n\t- https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android-wp.pdf\n\n- EL3 Tour : Get the Ultimate Privilege of Android Phone (Infiltrate19)\n\t- https://speakerdeck.com/hhj4ck/el3-tour-get-the-ultimate-privilege-of-android-phone\n\t- Paper : [infiltrate.pdf](https://github.com/enovella/TEE-reversing/blob/master/Papers/infiltrate.pdf)\n\t- video: https://vimeo.com/335948808\n\n- Nailgun: Break the privilege isolation in ARM devices (PoC #2 only)\n\t- https://github.com/ningzhenyu/nailgun\n\n- Nick Stephens : how does someone unlock your phone with nose. (give big picture of NWd \u003c\u003e SWd communications and exploits) GeekPwn 2016\n\t- https://fr.slideshare.net/GeekPwnKeen/nick-stephenshow-does-someone-unlock-your-phone-with-nose\n\n## Qualcomm (QSEE)\n\n- Reflections on Trusting TrustZone (2014)\n\t- https://www.blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-on-Trusting-TrustZone.pdf\n\n- Getting arbitrary code execution in TrustZone's kernel from any context (28/03/2015)\n\t- http://bits-please.blogspot.com/2015/03/getting-arbitrary-code-execution-in.html\n\n- Exploring Qualcomm's TrustZone implementation (04/08/2015)\n\t- http://bits-please.blogspot.com/2015/08/exploring-qualcomms-trustzone.html\n\n- Full TrustZone exploit for MSM8974 (10/08/2015)\n\t- http://bits-please.blogspot.com/2015/08/full-trustzone-exploit-for-msm8974.html\n\n- TrustZone Kernel Privilege Escalation (CVE-2016-2431)\n\t- http://bits-please.blogspot.com/2016/06/trustzone-kernel-privilege-escalation.html\n\n- War of the Worlds - Hijacking the Linux Kernel from QSEE\n\t- http://bits-please.blogspot.com/2016/05/war-of-worlds-hijacking-linux-kernel.html\n\n- QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)\n\t- http://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html\n\n- Exploring Qualcomm's Secure Execution Environment (26/04/2016)\n\t- http://bits-please.blogspot.com/2016/04/exploring-qualcomms-secure-execution.html\n\n- Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)\n\t- http://bits-please.blogspot.com/2016/01/android-privilege-escalation-to.html\n\n- Trust Issues: Exploiting TrustZone TEEs (24 July 2017)\n\t- https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html\n\n- Breaking Bad. Reviewing Qualcomm ARM64 TZ and HW-enabled Secure Boot on Android (4-9.x)\n\t- https://github.com/bkerler/slides_and_papers/blob/master/QualcommCrypto.pdf\n\n- Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores CVE-2018-11976 (NCC)\n\t- https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-keystore/\n\n- Qualcomm TrustZone Integer Signedness bug (12/2014)\n\t- https://fredericb.info/2014/12/qpsiir-80-qualcomm-trustzone-integer.html\n\n- The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019)\n\t- https://cfp.recon.cx/media/tz_apps_fuzz.pdf\n\n- Downgrade Attack on TrustZone\n\t- http://ww2.cs.fsu.edu/~ychen/paper/downgradeTZ.pdf\n\n### Motorola (Qualcomm SoC)\n\n- Unlocking the Motorola Bootloader (10/02/2016)\n\t- http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html\n\n### HTC (Qualcomm SoC)\n\n- Here Be Dragons: Vulnerabilities in TrustZone (14/08/2014)\n\t- https://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html\n\n## Trustonic (Kinibi \u0026 MobiCore)\n\n- Unbox Your Phone: Parts I, II \u0026 III\n\t- https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c\n\t- https://medium.com/taszksec/unbox-your-phone-part-ii-ae66e779b1d6\n\t- https://medium.com/taszksec/unbox-your-phone-part-iii-7436ffaff7c7\n\t- https://github.com/puppykitten/tbase\n\t- https://github.com/puppykitten/tbase/blob/master/unboxyourphone_ekoparty.pdf\n\n- KINIBI TEE: Trusted Application Exploitation (2018-12-10)\n\t- https://www.synacktiv.com/posts/exploit/kinibi-tee-trusted-application-exploitation.html\n\n- TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV\n\t- https://labs.bluefrostsecurity.de/blog/2019/05/27/tee-exploitation-on-samsung-exynos-devices-introduction/\n\t- https://labs.bluefrostsecurity.de/files/TEE.pdf\n\t- video: (Infiltrate 2019) https://vimeo.com/335947683\n\n- Breaking Samsung's ARM TrustZone (BlackHat USA 2019)\n\t- slides: https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf\n\t- video: https://www.youtube.com/watch?v=uXH5LJGRwXI\u0026list=PLH15HpR5qRsWrfkjwFSI256x1u2Zy49VI\u0026index=30\n\n- Launching feedback-driven fuzzing on TrustZone TEE (HITBGSEC2019)\n\t- https://gsec.hitb.org/materials/sg2019/D2%20-%20Launching%20Feedback-Driven%20Fuzzing%20on%20TrustZone%20TEE%20-%20Andrey%20Akimov.pdf\n\n- A Deep Dive into Samsung's trustzone\n\t- (Part 1 - intro) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-1.html\n\t- (Part 2 - fuzzing TAs) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-2.html\n\t- (Part 3 - exploiting EL3) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-3.html\n\n## Samsung (TEEGRIS)\n\n- Breaking TEE Security :\n\t- (Part 1 - Intro) https://www.riscure.com/blog/tee-security-samsung-teegris-part-1\n\t- (Part 2 - Exploiting TAs) https://www.riscure.com/blog/tee-security-samsung-teegris-part-2\n\t- (Part 3 - EoP TAs \u003e TOS) https://www.riscure.com/blog/tee-security-samsung-teegris-part-3\n\n- Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov\n\t- http://allsoftwaresucks.blogspot.com/2019/05/reverse-engineering-samsung-exynos-9820.html\n\n- Bug Hunting S21’s 10ADAB1E FW (OffensiveCon 2022)\n\t- https://www.dropbox.com/s/2f14ga52jguu5cy/OffensiveCon%202022%20-%20Bug%20Hunting%20S21s%2010ADAB1E%20FW.pdf?dl=0\n\n## Apple (Secure Enclave)\n\n- Demystifying the Secure Enclave Processor by Tarjei Mandt, Mathew Solnik, and David Wang\n\t- http://mista.nu/research/sep-paper.pdf\n\t- *slides* https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf\n\n## Intel (Intel SGX)\n\n- Intel SGX Explained by Victor Costan and Srinivas Devadas\n\t- https://css.csail.mit.edu/6.858/2017/readings/costan-sgx.pdf\n\n\n# TEE Fuzzing\n\n- PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation\n\t- https://people.eecs.berkeley.edu/~rohanpadhye/files/partemu-usenixsec20.pdf\n\n- The Road to Qualcomm TrustZone Apps Fuzzing\n\t- https://research.checkpoint.com/the-road-to-qualcomm-trustzone-apps-fuzzing/\n\t- https://cfp.recon.cx/media/tz_apps_fuzz.pdf\n\n- Launching feedback-driven fuzzing on TrustZone TEE (HITB GSEC 2019 Singapore)\n\t- slides: https://gsec.hitb.org/materials/sg2019/D2%20-%20Launching%20Feedback-Driven%20Fuzzing%20on%20TrustZone%20TEE%20-%20Andrey%20Akimov.pdf\n\t- video: https://www.youtube.com/watch?v=yb7KGznzczs\n\n- Fuzzing Embedded (Trusted) Operating Systems Using AFL (Martijn Bogaard | nullcon Goa 2019) OP-TEE\n\t- slides: https://nullcon.net/website/archives/pdf/bangalore-2019/fuzzing-embedded-(trusted)-operating-systems%20using-AFL.pdf\n\t- video: https://www.youtube.com/watch?v=AZhxZlwZ160\n\t- webinar: https://www.youtube.com/watch?time_continue=12\u0026v=ROyD9RTMePA\n\n- SAN19-225 Fuzzing embedded (trusted) operating systems using AFL (Martijn Bogaard) OP-TEE\n\t- video: https://www.youtube.com/watch?v=7bYAwaJ7WZw\n\n\n# TEE Secure Boot\n\n- Reverse Engineering Samsung S6 SBOOT - Part I \u0026 II\n\t- https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html\n\t- https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html\n\n- Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017)\n\t- https://www.riscure.com/uploads/2017/08/euskalhack_2017_-_secure_initialization_of_tees_when_secure_boot_falls_short.pdf\n\n- Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM\n\t- https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html#amlogic-s905-soc-bypassing-not-so\n\n- Qualcomm Secure Boot and Image Authentication Technical Overview\n\t- https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview-v20\n\n- Breaking Samsung's Root of Trust - Exploiting Samsung Secure Boot (BlackHat 2020)\n\t- https://teamt5.org/en/posts/blackhat-s-talk-breaking-samsung-s-root-of-trust-exploiting-samsung-secure-boot/\n\n- Overview of Secure Boot state in the ARM-based SoCs (Hardware-Aided Trusted Computing devroom - Maciej Pijanowski- FOSDEM 2021)\n\t- https://archive.fosdem.org/2021/schedule/event/tee_arm_secboot/attachments/paper/4635/export/events/attachments/tee_arm_secboot/paper/4635/Overview_of_Secure_Boot_in_Arm_based_SoCs.pdf\n\n- Dive-Into-Android-TA-BugHunting-And-Fuzzing (Kanxue SDC 2023)\n        - https://github.com/guluisacat/MySlides/blob/main/KanxueSDC2023/%E3%80%90%E8%AE%AE%E9%A2%98%E3%80%91%E6%B7%B1%E5%85%A5Android%E5%8F%AF%E4%BF%A1%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98.pdf\n\n# TEE Videos\n\n- Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes\n\t- video: https://www.youtube.com/watch?v=L2Mo8WcmmZo\n\t- slides: https://github.com/puppykitten/tbase/blob/master/unboxyourphone_ekoparty.pdf\n\n- Daniel Komaromy - Enter The Snapdragon (2014-10-11)\n\t- https://www.youtube.com/watch?v=2wJRnewVE-g\n\n- BSides DC 2018 \u0026 DerbiCon VIII - On the nose: Bypassing Huaweis Fingerprint Authentication by Exploiting the TrustZone by Nick Stephens\n\t- https://www.youtube.com/watch?v=QFFhdqP7Dxg\n\t- https://www.youtube.com/watch?v=MdoGCXGHGnY\n\n- An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture by Josh Thomas and Charles Holmes Android Security Symposium in Vienna, Austria, 9-11 September 2015\n\t- https://www.youtube.com/watch?v=vxNGgOR-iVM\n\n- Android and trusted execution environments by Jan-Erik Ekberg (Trustonic) at the Android Security Symposium in Vienna, Austria, 9-11 September 2015\n\t- https://www.youtube.com/watch?v=5542lEk3OAM\n\n- 34C3 2017 - Console Security - Switch by Plutoo, Derrek and Naehrwert\n\t- https://media.ccc.de/v/34c3-8941-console_security_-_switch\n\n- 34C3 2017 - TrustZone is not enough by Pascal Cotret\n\t- https://media.ccc.de/v/34c3-8831-trustzone_is_not_enough\n\n- RootedCON 2017 - What your mother never told you about Trusted Execution Environment... by José A. Rivas\n\t- *audio Spanish original* https://www.youtube.com/watch?v=lzrIzS84mdk\n\t- *English translation* https://www.youtube.com/watch?v=Lzb5OfE1M7s\n\n- BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking\n\t- https://www.youtube.com/watch?v=7NkojB9gLXM\n\n- No ConName 2015 - (Un)Trusted Execution Environments by Pau Oliva\n\t- video: *audio Spanish only* https://vimeo.com/150787883\n\t- slides: https://t.co/vFATxEa7sy\n\n- BH US 2014 - Reflections on Trusting TrustZone by Dan Rosenberg\n\t- https://www.youtube.com/watch?v=7w40mS5yLjc\n\n- ARM TrustZone for dummies by Tim Hummels\n\t- https://www.youtube.com/watch?v=ecBByjwny3s\n\n# Microarchitectural attacks applied to TEE\n\n- ARMageddon: Cache attacks on mobile devices\n    - [Paper] https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_lipp.pdf\n    - [Related tool] https://github.com/IAIK/armageddon\n\n- Cache storage channels: Alias-driven attacks and verified countermeasures.\n    - https://www.kth.se/polopoly_fs/1.641701.1550155969!/R.Guanciale.pdf\n\n- 34C3 - Microarchitectural Attacks on Trusted Execution Environments\n    - https://media.ccc.de/v/34c3-8950-microarchitectural_attacks_on_trusted_execution_environments\n\n- TruSpy: Cache side-channel information leakage from the secure world on ARM devices\n    - https://eprint.iacr.org/2016/980.pdf\n\n\n# Tools\n\n## Emulate\n\n- QEMU Support for Exynos9820 S-Boot\n\t- https://github.com/astarasikov/qemu\n\n- Emulating Exynos 4210 BootROM in QEMU\n\t- https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html#emulating-exynos-4210-bootrom-in-qemu\n\n## Reverse\n\n- TZAR unpacker\n\t- https://gist.github.com/astarasikov/f47cb7f46b5193872f376fa0ea842e4b#file-unpack_startup_tzar-py\n\n- IDA MCLF Loader\n\t- https://github.com/ghassani/mclf-ida-loader\n\n- Ghidra MCLF Loader\n\t- https://github.com/NeatMonster/mclf-ghidra-loader\n\n# Other useful resources\n\n- ARM Trusted Firmware: reference implementation of secure world for Cortex A and Cortex M\n\t- https://www.trustedfirmware.org/\n\n- OP-TEE: open source ARM TrusZone based TEE\n\t- https://www.op-tee.org/\n\n- Trust Issues: Exploiting TrustZone TEEs by Project Zero Team\n\t- https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html\n\n- Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017\n\t- https://pdfs.semanticscholar.org/f62b/db9f1950329f59dc467238737d2de1a1bac4.pdf (slides)\n\t- http://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf (paper)\n\t- https://github.com/ucsb-seclab/boomerang (tool)\n\n- TEE research (Some useful IDA and Ghidra plugins for TEE research)\n\t- https://github.com/bkerler/tee_research\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenovella%2FTEE-reversing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fenovella%2FTEE-reversing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenovella%2FTEE-reversing/lists"}