{"id":13654105,"url":"https://github.com/quarkslab/samsung-trustzone-research","last_synced_at":"2026-02-03T10:38:36.521Z","repository":{"id":152874771,"uuid":"223920792","full_name":"quarkslab/samsung-trustzone-research","owner":"quarkslab","description":"Reverse-engineering tools and exploits for Samsung's implementation of TrustZone","archived":false,"fork":false,"pushed_at":"2019-12-16T14:29:44.000Z","size":88,"stargazers_count":145,"open_issues_count":0,"forks_count":20,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-10T04:36:47.391Z","etag":null,"topics":["bindings","emulation","exploitation","fuzzing","kinibi","reverse-engineering","samsung","tooling","trustzone"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quarkslab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-11-25T10:22:51.000Z","updated_at":"2024-10-18T19:33:39.000Z","dependencies_parsed_at":null,"dependency_job_id":"5f95b29c-a052-4e9b-bdb9-704f5580e2e9","html_url":"https://github.com/quarkslab/samsung-trustzone-research","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-trustzone-research","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-trustzone-research/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-trustzone-research/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quarkslab%2Fsamsung-trustzone-research/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quarkslab","download_url":"https://codeload.github.com/quarkslab/samsung-trustzone-research/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250390824,"owners_count":21422784,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bindings","emulation","exploitation","fuzzing","kinibi","reverse-engineering","samsung","tooling","trustzone"],"created_at":"2024-08-02T02:01:23.447Z","updated_at":"2026-02-03T10:38:36.493Z","avatar_url":"https://github.com/quarkslab.png","language":"Python","funding_links":[],"categories":["Tool\u0026\u0026DEBUG","Software Tools"],"sub_categories":["TEE/Trusted Execution Environments"],"readme":"# Security Research on Kinibi\n\nIn this repository, you will find the tools that we have developed during our research to help us reverse engineer and also exploit Samsung's implementation of TrustZone, which is based on a Trusted OS called Kinibi.\n\n## Bindings\n\nIn the `bindings/` folder, you will find Python bindings for the `libMcClient.so` library that is used to communicate with Trusted Applications and Secure Drivers. They were developed because we found it easier to write our exploits in Python, and they proved especially useful for the exercises given during our training sessions.\n\n## Emulator\n\nIn the `emulator/` folder, you will find a Python script that makes use of the [Unicorn](https://www.unicorn-engine.org/) engine to emulate a trustlet. This tool was mainly used to test our exploits as it can print the instructions executed, register values and stack content.\n\n## Fuzzer\n\nIn the `fuzzer/` folder, you will find a Python script that makes use of the [`afl-unicorn`](https://github.com/Battelle/afl-unicorn) project to fuzz trustlets. It is heavily based on the emulator. You will need to implement more tlApis/drApis if you intend to do some serious fuzzing.\n\n## Scripts\n\nIn the `scripts/` folder, you will find various things:\n- `mclf_loader`, a loader for trustlet binaries using the MCLF file format\n- `tbase_loader`, a loader that extracts the various components of a SBOOT image\n- `find_symbols`, a script that finds and renames the various tlApis/drApis stubs within trustlets\n- `find_symbols_mclib`, a script that finds and renames the various tlApis/drApis functions within the McLib\n\nThe scripts are available both for IDA Pro and Ghidra, as we wanted our trainees to be able to use a free SRE.\n\n## Tainting\n\nIn the `tainting/` folder, you will find a Python script that makes use of [Manticore](https://github.com/trailofbits/manticore) to find vulnerabilities in trustlets using symbolic execution. This was just an experiment, so the script is really basic.\n\n## Contact\n\n- Alexandre Adamski \u003c\u003caadamski@quarkslab.com\u003e\u003e\n- Joffrey Guilbon \u003c\u003cjguilbon@quarkslab.com\u003e\u003e\n- Maxime Peterlin \u003c\u003cmpeterlin@quarslab.com\u003e\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquarkslab%2Fsamsung-trustzone-research","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquarkslab%2Fsamsung-trustzone-research","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquarkslab%2Fsamsung-trustzone-research/lists"}