https://github.com/enovella/tee-reversing

A curated list of public TEE resources for learning how to reverse-engineer and achieve trusted code execution on ARM devices
https://github.com/enovella/tee-reversing

android arm-trustzone tee trusted-execution-environment trustzone trustzone-kernel

Last synced: 1 day ago
JSON representation

A curated list of public TEE resources for learning how to reverse-engineer and achieve trusted code execution on ARM devices

• Host: GitHub
• URL: https://github.com/enovella/tee-reversing
• Owner: enovella
• Created: 2018-12-09T16:36:09.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2024-07-08T09:56:27.000Z (6 months ago)
• Last Synced: 2025-01-03T15:04:53.412Z (8 days ago)
• Topics: android, arm-trustzone, tee, trusted-execution-environment, trustzone, trustzone-kernel
• Homepage:
• Size: 20.9 MB
• Stars: 898
• Watchers: 48
• Forks: 105
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-security-collection - **184**星 - engineer and achieve trusted code execution on ARM devices (<a id="8c5a692b5d26527ef346687e047c5c21"></a>收集)

README

        
# TEE Basics & General

- Introduction to Trusted Execution Environment: ARM's TrustZone

	- https://blog.quarkslab.com/introduction-to-trusted-execution-environment-arms-trustzone.html

- Introduction to TEE (original title: TEEを中心とするCPUセキュリティ機能の動向 )

	- https://seminar-materials.iijlab.net/iijlab-seminar/iijlab-seminar-20181120.pdf

- Attacking the ARM's TrustZone

	- https://blog.quarkslab.com/attacking-the-arms-trustzone.html

- ARM TrustZone Security Whitepaper

	- http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf

- Web Site ARM TrustZone

	- https://developer.arm.com/ip-products/security-ip/trustzone

- TrustZone Explained: Architectural Features and Use Cases

	- http://sefcom.asu.edu/publications/trustzone-explained-cic2016.pdf

- Trustworthy Execution on Mobile Devices

	- https://netsec.ethz.ch/publications/papers/paper-hyperphone-TRUST-2012.pdf

- Demystifying ARM Trustzone : A Comprehensive Survey

	- https://www.researchgate.net/profile/Nuno_Santos9/publication/330696364_Demystifying_Arm_TrustZone_A_Comprehensive_Survey/links/5c6ff1a792851c6950379cdd/Demystifying-Arm-TrustZone-A-Comprehensive-Survey.pdf

- Understanding Trusted Execution Environments and Arm TrustZone (by Azeria)

	- https://azeria-labs.com/trusted-execution-environments-tee-and-trustzone/

- SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems

	- https://www.cs.purdue.edu/homes/pfonseca/papers/sp2020-tees.pdf

- Giving Mobile Security the Boot (by Jonathan Levin)

	- https://papers.put.as/papers/ios/2016/TrustZone.pdf

- The ARMs race to TrustZone (by Jonathan Levin)

	- http://technologeeks.com/files/TZ.pdf

# TEE Exploits/Security Analysis

## HiSilicon/Huawei (TrustedCore)

- Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme)

	- https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android-wp.pdf

- EL3 Tour : Get the Ultimate Privilege of Android Phone (Infiltrate19)

	- https://speakerdeck.com/hhj4ck/el3-tour-get-the-ultimate-privilege-of-android-phone

	- Paper : [infiltrate.pdf](https://github.com/enovella/TEE-reversing/blob/master/Papers/infiltrate.pdf)

	- video: https://vimeo.com/335948808

- Nailgun: Break the privilege isolation in ARM devices (PoC #2 only)

	- https://github.com/ningzhenyu/nailgun

- Nick Stephens : how does someone unlock your phone with nose. (give big picture of NWd <> SWd communications and exploits) GeekPwn 2016

	- https://fr.slideshare.net/GeekPwnKeen/nick-stephenshow-does-someone-unlock-your-phone-with-nose

## Qualcomm (QSEE)

- Reflections on Trusting TrustZone (2014)

	- https://www.blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-on-Trusting-TrustZone.pdf

- Getting arbitrary code execution in TrustZone's kernel from any context (28/03/2015)

	- http://bits-please.blogspot.com/2015/03/getting-arbitrary-code-execution-in.html

- Exploring Qualcomm's TrustZone implementation (04/08/2015)

	- http://bits-please.blogspot.com/2015/08/exploring-qualcomms-trustzone.html

- Full TrustZone exploit for MSM8974 (10/08/2015)

	- http://bits-please.blogspot.com/2015/08/full-trustzone-exploit-for-msm8974.html

- TrustZone Kernel Privilege Escalation (CVE-2016-2431)

	- http://bits-please.blogspot.com/2016/06/trustzone-kernel-privilege-escalation.html

- War of the Worlds - Hijacking the Linux Kernel from QSEE

	- http://bits-please.blogspot.com/2016/05/war-of-worlds-hijacking-linux-kernel.html

- QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)

	- http://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html

- Exploring Qualcomm's Secure Execution Environment (26/04/2016)

	- http://bits-please.blogspot.com/2016/04/exploring-qualcomms-secure-execution.html

- Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)

	- http://bits-please.blogspot.com/2016/01/android-privilege-escalation-to.html

- Trust Issues: Exploiting TrustZone TEEs (24 July 2017)

	- https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html

- Breaking Bad. Reviewing Qualcomm ARM64 TZ and HW-enabled Secure Boot on Android (4-9.x)

	- https://github.com/bkerler/slides_and_papers/blob/master/QualcommCrypto.pdf

- Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores CVE-2018-11976 (NCC)

	- https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-keystore/

- Qualcomm TrustZone Integer Signedness bug (12/2014)

	- https://fredericb.info/2014/12/qpsiir-80-qualcomm-trustzone-integer.html

- The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019)

	- https://cfp.recon.cx/media/tz_apps_fuzz.pdf

- Downgrade Attack on TrustZone

	- http://ww2.cs.fsu.edu/~ychen/paper/downgradeTZ.pdf

### Motorola (Qualcomm SoC)

- Unlocking the Motorola Bootloader (10/02/2016)

	- http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html

### HTC (Qualcomm SoC)

- Here Be Dragons: Vulnerabilities in TrustZone (14/08/2014)

	- https://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html

## Trustonic (Kinibi & MobiCore)

- Unbox Your Phone: Parts I, II & III

	- https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c

	- https://medium.com/taszksec/unbox-your-phone-part-ii-ae66e779b1d6

	- https://medium.com/taszksec/unbox-your-phone-part-iii-7436ffaff7c7

	- https://github.com/puppykitten/tbase

	- https://github.com/puppykitten/tbase/blob/master/unboxyourphone_ekoparty.pdf

- KINIBI TEE: Trusted Application Exploitation (2018-12-10)

	- https://www.synacktiv.com/posts/exploit/kinibi-tee-trusted-application-exploitation.html

- TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV

	- https://labs.bluefrostsecurity.de/blog/2019/05/27/tee-exploitation-on-samsung-exynos-devices-introduction/

	- https://labs.bluefrostsecurity.de/files/TEE.pdf

	- video: (Infiltrate 2019) https://vimeo.com/335947683

- Breaking Samsung's ARM TrustZone (BlackHat USA 2019)

	- slides: https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf

	- video: https://www.youtube.com/watch?v=uXH5LJGRwXI&list=PLH15HpR5qRsWrfkjwFSI256x1u2Zy49VI&index=30

- Launching feedback-driven fuzzing on TrustZone TEE (HITBGSEC2019)

	- https://gsec.hitb.org/materials/sg2019/D2%20-%20Launching%20Feedback-Driven%20Fuzzing%20on%20TrustZone%20TEE%20-%20Andrey%20Akimov.pdf

- A Deep Dive into Samsung's trustzone

	- (Part 1 - intro) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-1.html

	- (Part 2 - fuzzing TAs) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-2.html

	- (Part 3 - exploiting EL3) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-3.html

## Samsung (TEEGRIS)

- Breaking TEE Security :

	- (Part 1 - Intro) https://www.riscure.com/blog/tee-security-samsung-teegris-part-1

	- (Part 2 - Exploiting TAs) https://www.riscure.com/blog/tee-security-samsung-teegris-part-2

	- (Part 3 - EoP TAs > TOS) https://www.riscure.com/blog/tee-security-samsung-teegris-part-3

- Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov

	- http://allsoftwaresucks.blogspot.com/2019/05/reverse-engineering-samsung-exynos-9820.html

- Bug Hunting S21’s 10ADAB1E FW (OffensiveCon 2022)

	- https://www.dropbox.com/s/2f14ga52jguu5cy/OffensiveCon%202022%20-%20Bug%20Hunting%20S21s%2010ADAB1E%20FW.pdf?dl=0

## Apple (Secure Enclave)

- Demystifying the Secure Enclave Processor by Tarjei Mandt, Mathew Solnik, and David Wang

	- http://mista.nu/research/sep-paper.pdf

	- *slides* https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf

## Intel (Intel SGX)

- Intel SGX Explained by Victor Costan and Srinivas Devadas

	- https://css.csail.mit.edu/6.858/2017/readings/costan-sgx.pdf

# TEE Fuzzing

- PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation

	- https://people.eecs.berkeley.edu/~rohanpadhye/files/partemu-usenixsec20.pdf

- The Road to Qualcomm TrustZone Apps Fuzzing

	- https://research.checkpoint.com/the-road-to-qualcomm-trustzone-apps-fuzzing/

	- https://cfp.recon.cx/media/tz_apps_fuzz.pdf

- Launching feedback-driven fuzzing on TrustZone TEE (HITB GSEC 2019 Singapore)

	- slides: https://gsec.hitb.org/materials/sg2019/D2%20-%20Launching%20Feedback-Driven%20Fuzzing%20on%20TrustZone%20TEE%20-%20Andrey%20Akimov.pdf

	- video: https://www.youtube.com/watch?v=yb7KGznzczs

- Fuzzing Embedded (Trusted) Operating Systems Using AFL (Martijn Bogaard | nullcon Goa 2019) OP-TEE

	- slides: https://nullcon.net/website/archives/pdf/bangalore-2019/fuzzing-embedded-(trusted)-operating-systems%20using-AFL.pdf

	- video: https://www.youtube.com/watch?v=AZhxZlwZ160

	- webinar: https://www.youtube.com/watch?time_continue=12&v=ROyD9RTMePA

- SAN19-225 Fuzzing embedded (trusted) operating systems using AFL (Martijn Bogaard) OP-TEE

	- video: https://www.youtube.com/watch?v=7bYAwaJ7WZw

# TEE Secure Boot

- Reverse Engineering Samsung S6 SBOOT - Part I & II

	- https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html

	- https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html

- Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017)

	- https://www.riscure.com/uploads/2017/08/euskalhack_2017_-_secure_initialization_of_tees_when_secure_boot_falls_short.pdf

- Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM

	- https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html#amlogic-s905-soc-bypassing-not-so

- Qualcomm Secure Boot and Image Authentication Technical Overview

	- https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview-v20

- Breaking Samsung's Root of Trust - Exploiting Samsung Secure Boot (BlackHat 2020)

	- https://teamt5.org/en/posts/blackhat-s-talk-breaking-samsung-s-root-of-trust-exploiting-samsung-secure-boot/

- Overview of Secure Boot state in the ARM-based SoCs (Hardware-Aided Trusted Computing devroom - Maciej Pijanowski- FOSDEM 2021)

	- https://archive.fosdem.org/2021/schedule/event/tee_arm_secboot/attachments/paper/4635/export/events/attachments/tee_arm_secboot/paper/4635/Overview_of_Secure_Boot_in_Arm_based_SoCs.pdf

- Dive-Into-Android-TA-BugHunting-And-Fuzzing (Kanxue SDC 2023)

        - https://github.com/guluisacat/MySlides/blob/main/KanxueSDC2023/%E3%80%90%E8%AE%AE%E9%A2%98%E3%80%91%E6%B7%B1%E5%85%A5Android%E5%8F%AF%E4%BF%A1%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98.pdf

# TEE Videos

- Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes

	- video: https://www.youtube.com/watch?v=L2Mo8WcmmZo

	- slides: https://github.com/puppykitten/tbase/blob/master/unboxyourphone_ekoparty.pdf

- Daniel Komaromy - Enter The Snapdragon (2014-10-11)

	- https://www.youtube.com/watch?v=2wJRnewVE-g

- BSides DC 2018 & DerbiCon VIII - On the nose: Bypassing Huaweis Fingerprint Authentication by Exploiting the TrustZone by Nick Stephens

	- https://www.youtube.com/watch?v=QFFhdqP7Dxg

	- https://www.youtube.com/watch?v=MdoGCXGHGnY

- An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture by Josh Thomas and Charles Holmes Android Security Symposium in Vienna, Austria, 9-11 September 2015

	- https://www.youtube.com/watch?v=vxNGgOR-iVM

- Android and trusted execution environments by Jan-Erik Ekberg (Trustonic) at the Android Security Symposium in Vienna, Austria, 9-11 September 2015

	- https://www.youtube.com/watch?v=5542lEk3OAM

- 34C3 2017 - Console Security - Switch by Plutoo, Derrek and Naehrwert

	- https://media.ccc.de/v/34c3-8941-console_security_-_switch

- 34C3 2017 - TrustZone is not enough by Pascal Cotret

	- https://media.ccc.de/v/34c3-8831-trustzone_is_not_enough

- RootedCON 2017 - What your mother never told you about Trusted Execution Environment... by José A. Rivas

	- *audio Spanish original* https://www.youtube.com/watch?v=lzrIzS84mdk

	- *English translation* https://www.youtube.com/watch?v=Lzb5OfE1M7s

- BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking

	- https://www.youtube.com/watch?v=7NkojB9gLXM

- No ConName 2015 - (Un)Trusted Execution Environments by Pau Oliva

	- video: *audio Spanish only* https://vimeo.com/150787883

	- slides: https://t.co/vFATxEa7sy

- BH US 2014 - Reflections on Trusting TrustZone by Dan Rosenberg

	- https://www.youtube.com/watch?v=7w40mS5yLjc

- ARM TrustZone for dummies by Tim Hummels

	- https://www.youtube.com/watch?v=ecBByjwny3s

# Microarchitectural attacks applied to TEE

- ARMageddon: Cache attacks on mobile devices

    - [Paper] https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_lipp.pdf

    - [Related tool] https://github.com/IAIK/armageddon

- Cache storage channels: Alias-driven attacks and verified countermeasures.

    - https://www.kth.se/polopoly_fs/1.641701.1550155969!/R.Guanciale.pdf

- 34C3 - Microarchitectural Attacks on Trusted Execution Environments

    - https://media.ccc.de/v/34c3-8950-microarchitectural_attacks_on_trusted_execution_environments

- TruSpy: Cache side-channel information leakage from the secure world on ARM devices

    - https://eprint.iacr.org/2016/980.pdf

# Tools

## Emulate

- QEMU Support for Exynos9820 S-Boot

	- https://github.com/astarasikov/qemu

- Emulating Exynos 4210 BootROM in QEMU

	- https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html#emulating-exynos-4210-bootrom-in-qemu

## Reverse

- TZAR unpacker

	- https://gist.github.com/astarasikov/f47cb7f46b5193872f376fa0ea842e4b#file-unpack_startup_tzar-py

- IDA MCLF Loader

	- https://github.com/ghassani/mclf-ida-loader

- Ghidra MCLF Loader

	- https://github.com/NeatMonster/mclf-ghidra-loader

# Other useful resources

- ARM Trusted Firmware: reference implementation of secure world for Cortex A and Cortex M

	- https://www.trustedfirmware.org/

- OP-TEE: open source ARM TrusZone based TEE

	- https://www.op-tee.org/

- Trust Issues: Exploiting TrustZone TEEs by Project Zero Team

	- https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html

- Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017

	- https://pdfs.semanticscholar.org/f62b/db9f1950329f59dc467238737d2de1a1bac4.pdf (slides)

	- http://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf (paper)

	- https://github.com/ucsb-seclab/boomerang (tool)

- TEE research (Some useful IDA and Ghidra plugins for TEE research)

	- https://github.com/bkerler/tee_research