Viewing and extracting TrustZone contents

[jeb45]

First of all thank you for the great work on this.

I have a vulnerable device and have successfully ran the test and the POCs on it. Now my goal is to view the contents of the TrustZone/TZOS of my device, and either dump the whole thing to inspect it, or at least do so with the individual files/applications stored there. Having read through the writeup and the research paper, I'm inclined to believe it is possible using keybuster to a certain extent, though will likely require some modifications to the code (nwd_tz_run_cmd seems like a good start). However I am not really familiar with the topic, so can't be certain. Could you confirm that what I'm trying to achieve is possible? A simple yes/no would suffice, but any additional information and pointers are highly appreciated.

Thanks in advance.

[shakevsky]

Thank you for your interest!

It is not possible to view contents of the TZOS using our research - except the key material of hardware-protected keys that the Keymaster TA encrypted in the TZOS. Keybuster allows to directly interact with the Keymaster TA.

In their work from 2019 (published in 2021), Riscure achieved access to full TEE memory in TEEGRIS.