A curated list of public TEE resources for learning how to reverse-engineer and achieve trusted code execution on ARM devices
Introduction to Trusted Execution Environment: ARM's TrustZone
Introduction to TEE (original title: TEEを中心とするCPUセキュリティ機能の動向 )
Attacking the ARM's TrustZone
ARM TrustZone Security Whitepaper
Web Site ARM TrustZone
TrustZone Explained: Architectural Features and Use Cases
Trustworthy Execution on Mobile Devices
Demystifying ARM Trustzone : A Comprehensive Survey
Understanding Trusted Execution Environments and Arm TrustZone (by Azeria)
SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems
Giving Mobile Security the Boot (by Jonathan Levin)
The ARMs race to TrustZone (by Jonathan Levin)
Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme)
EL3 Tour : Get the Ultimate Privilege of Android Phone (Infiltrate19)
Nailgun: Break the privilege isolation in ARM devices (PoC #2 only)
Nick Stephens : how does someone unlock your phone with nose. (give big picture of NWd <> SWd communications and exploits) GeekPwn 2016
Reflections on Trusting TrustZone (2014)
Getting arbitrary code execution in TrustZone's kernel from any context (28/03/2015)
Exploring Qualcomm's TrustZone implementation (04/08/2015)
Full TrustZone exploit for MSM8974 (10/08/2015)
TrustZone Kernel Privilege Escalation (CVE-2016-2431)
War of the Worlds - Hijacking the Linux Kernel from QSEE
QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
Exploring Qualcomm's Secure Execution Environment (26/04/2016)
Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)
Trust Issues: Exploiting TrustZone TEEs (24 July 2017)
Breaking Bad. Reviewing Qualcomm ARM64 TZ and HW-enabled Secure Boot on Android (4-9.x)
Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores CVE-2018-11976 (NCC)
Qualcomm TrustZone Integer Signedness bug (12/2014)
The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019)
Downgrade Attack on TrustZone
Unbox Your Phone: Parts I, II & III
KINIBI TEE: Trusted Application Exploitation (2018-12-10)
TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV
Breaking Samsung's ARM TrustZone (BlackHat USA 2019)
Launching feedback-driven fuzzing on TrustZone TEE (HITBGSEC2019)
A Deep Dive into Samsung's trustzone
Breaking TEE Security :
Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov
Bug Hunting S21’s 10ADAB1E FW (OffensiveCon 2022)
PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation
The Road to Qualcomm TrustZone Apps Fuzzing
Launching feedback-driven fuzzing on TrustZone TEE (HITB GSEC 2019 Singapore)
Fuzzing Embedded (Trusted) Operating Systems Using AFL (Martijn Bogaard | nullcon Goa 2019) OP-TEE
SAN19-225 Fuzzing embedded (trusted) operating systems using AFL (Martijn Bogaard) OP-TEE
Reverse Engineering Samsung S6 SBOOT - Part I & II
Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017)
Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM
Qualcomm Secure Boot and Image Authentication Technical Overview
Breaking Samsung's Root of Trust - Exploiting Samsung Secure Boot (BlackHat 2020)
Overview of Secure Boot state in the ARM-based SoCs (Hardware-Aided Trusted Computing devroom - Maciej Pijanowski- FOSDEM 2021)
Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes
Daniel Komaromy - Enter The Snapdragon (2014-10-11)
BSides DC 2018 & DerbiCon VIII - On the nose: Bypassing Huaweis Fingerprint Authentication by Exploiting the TrustZone by Nick Stephens
An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture by Josh Thomas and Charles Holmes Android Security Symposium in Vienna, Austria, 9-11 September 2015
Android and trusted execution environments by Jan-Erik Ekberg (Trustonic) at the Android Security Symposium in Vienna, Austria, 9-11 September 2015
34C3 2017 - Console Security - Switch by Plutoo, Derrek and Naehrwert
34C3 2017 - TrustZone is not enough by Pascal Cotret
RootedCON 2017 - What your mother never told you about Trusted Execution Environment... by José A. Rivas
BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking
No ConName 2015 - (Un)Trusted Execution Environments by Pau Oliva
BH US 2014 - Reflections on Trusting TrustZone by Dan Rosenberg
ARM TrustZone for dummies by Tim Hummels
ARMageddon: Cache attacks on mobile devices
Cache storage channels: Alias-driven attacks and verified countermeasures.
34C3 - Microarchitectural Attacks on Trusted Execution Environments
TruSpy: Cache side-channel information leakage from the secure world on ARM devices
QEMU Support for Exynos9820 S-Boot
Emulating Exynos 4210 BootROM in QEMU
TZAR unpacker
IDA MCLF Loader
Ghidra MCLF Loader
ARM Trusted Firmware: reference implementation of secure world for Cortex A and Cortex M
OP-TEE: open source ARM TrusZone based TEE
Trust Issues: Exploiting TrustZone TEEs by Project Zero Team
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017
TEE research (Some useful IDA and Ghidra plugins for TEE research)