How to Fix Broken TEE on Android Devices [2 Methods]

In this guide, we will show you two methods to fix the Broken TEE on your Android device. An Android device’s CPU has two different execution modes: the REE (Rich Execution Environment) and TEE (Trusted Execution Environment). In a normal use case scenario, when the device and its apps are running, the CPU is in REE mode.

However, for certain sensitive operations, such as verification of your fingerprint/PIN/password, the CPU tends to switch to TEE mode. Moreover, fingerprint and device PIN are stored in the TEE Mode. This is done so that even if a user ends up obtaining root-level or OS-level access, they can still not extract the fingerprint or PIN data from the device.

fix broken tee android - 1

Left: Broken TEE | Right: TEE Fixed

Besides authentication, the Trusted Execution Environment is also responsible for cryptographic signing of Play Integrity attestations (which is needed for Strong Integrity). There are specific cryptographic keys for this purpose, which can only be accessed while the CPU is in TEE mode.

However, flashing a custom binary or even simply unlocking the device’s bootloader might end up breaking the TEE on an Android device. If the same has happened with your device as well, then this guide will help you out. Follow along for the fix.

  • How to Fix a Broken TEE on Android Devices [2 Methods] By Passing Strong via Unrevoked Keybox By Reprogramming the TEE Important Notes Instructions for Engineering ROM Instructions for Stock ROM

How to Fix a Broken TEE on Android Devices [2 Methods]

YouTube video - 2

It is recommended that you try out each of the below-mentioned workarounds and then see which one spells out success. So with that in mind, let’s get started. Moreover, before starting, please take a complete device backup beforehand. Droidwin and its members wouldn’t be held responsible in case of a thermonuclear war, your alarm doesn’t wake you up, or if anything happens to your device, and data by performing the below steps.

fix broken tee android - 3 fix broken tee android - 4

By Passing Strong via Unrevoked Keybox

In some cases, passing the Strong Integrity test [apart from the Basic and Device] using an unrevoked keybox XML file is more than enough to fix the broken TEE on Android. So, carry out this tweak using the instructions given below and see if it works out in your favor or not.

How to Pass Play Integrity in New Android 13+ Checks

By Reprogramming the TEE

Important Notes

  • This process will only work on Qualcomm devices.
  • Your data will be lost, so back up your device data first.
  • The original keys that your phone may include in the TEE will be lost.
  • The engineering ROM for your device or Stock ROM with included KmInstallKeybox binary.
  • You will also need an unrevoked keybox XML file .
  • Credit for this tweak goes to chiteroman on GitHub.

Instructions for Engineering ROM

  1. Flash engineering ROM.
  2. Phone must be connected to PC, then execute these commands in order: adb root adb remount adb reboot adb shell mkdir -p /data/nativetest64/qti_keymaster_tests/ adb push keybox.xml /data/nativetest64/qti_keymaster_tests/ adb shell LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox /data/nativetest64/qti_keymaster_tests/keybox.xml 0 true
  3. If you are using a keybox provided by me, then change the following arguments: adb shell LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox /data/nativetest64/qti_keymaster_tests/{KEYBOX FILE} {DEVICE ID} {ATTEST PROPS?}

Instructions for Stock ROM

  1. Flash the Stock ROM.
  2. Root the device using Magisk / KernelSU / APatch .
  3. Phone must be connected to PC, then execute these commands IN ORDER: adb shell su
  4. Grant Root Access to Shell when prompted on your phone. adb shell su -c mkdir -p /data/nativetest64/qti_keymaster_tests/ adb push keybox.xml /sdcard/ adb shell su -c cp keybox.xml /data/nativetest64/qti_keymaster_tests/ adb shell su -c LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox /data/nativetest64/qti_keymaster_tests/keybox.xml 0 true
  5. If you are using a keybox provided by me, then change the following arguments: adb shell su -c LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox /data/nativetest64/qti_keymaster_tests/{KEYBOX FILE} {DEVICE ID} {ATTEST PROPS?}
  • How to Repair IMEI, MEID, TEE Data, and Google certificate on Umidigi Devices
  • How to Spoof/Fake/Hide Bootloader Unlock Status
  • How to Pass Strong Integrity on Unlocked Bootloader & Root!
  • How to Spoof Custom Kernel to Stock using KernelSU and SUSFS
Google preferred - 5 Google preferred - 6
  • Govind 3 months ago Reply Please send me latest keybox
  • Akshay pawar 5 months ago Reply Can i please get working unrevoked keybox XML file.

(Cancel Reply)

Δ