Huawei mate 7 TrustZone exploit
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
doc add Black Hat slides Aug 4, 2015
jni add poc source code Jun 15, 2015
libs/armeabi update README and white paper Jul 31, 2015 update README Jul 31, 2015


With two vulnerabilities,any installed application is able to execute arbitrary code in TEE of Huawei Mate7 . This source code is a PoC which may read fingerprint image from sensor(FPC1020) on Mate 7.

Official Security Advisories


  • CVE-2015-4421
  • CVE-2015-4422


see whitepaper in ./doc

How to build

ndk-build NDK_DEBUG=1


Make sure the version of firmware is Mate7-TL10,V100R001CHNC00B123SP03

Unlock your screen,put your finger on touch pad of sensor,and execute p1ng.

The exploit may take a few minutes and print out hex strings of your fingerprint data.

  • ./p1ng

Exploit Linux kernel,TEE_GlobalTask and RTOSck(kernel of TEE). Then call __FPC_readImage to read fingerprint image.

  • ./p1ng physical_addr

dump physical memory from /dev/mem, for debugging only

  • ./p1ng 0 kernel_addr

execute TEE shell code at kernel_addr, for debugging only.

kernel_addr is the address of TEE shellcode.

You can use this option to read fingerprint instantly (otherwise you must wait a few minutes) if you have ran exploit once after the mobile startup.

kernel_addr will be printed out via kmsg at the fist time executing the exploit.

  • ./p1ng 0 0 0

read TEE error log from 0x3FE01400(physical addr), for debugging only

Affected Versions

  • Huawei Ascend Mate 7 : Mate7-TL10,V100R001CHNC00B123SP03 or earlier
  • TEEOS: TrustedCore Release Version 1.26. Sep 17 2014.13:57:39 or earlier