{"guid":"c553ee23-bc27-585a-b8d0-d8fee999e75a","title":"Reverse engineering the Pixel TitanM2 firmware","subtitle":null,"slug":"39c3-reverse-engineering-the-pixel-titanm2-firmware","link":"https://events.ccc.de/congress/2025/hub/event/detail/reverse-engineering-the-pixel-titanm2-firmware","description":"The TitanM2 chip has been central to the security of the google pixel series since the Pixel 6. It is based on a modified RISC-V design with a bignum accelerator. Google added some non standard instructions to the RISC-V ISA. This talk investigates the reverse engineering using Ghidra, and simulation of the firmware in python.\n\nI will discuss the problems encountered while reverse engineering and simulating the firmware for the TitanM2 security chip, found in the Google Pixel phones. I'll discuss how to obtain the firmware. Talk about the problems reverse engineering this particular binary. I show how you can easily extend ghidra with new instructions to get a full decompilation. Also, I wrote a Risc-V simulator in python for running the titanM2 firmware.\n\nLicensed to the public under http://creativecommons.org/licenses/by/4.0","original_language":"eng","persons":["willem"],"tags":["2274","2025","39c3","Hardware","Ground","39c3-eng","39c3-deu","Day 2"],"view_count":5355,"promoted":false,"date":"2025-12-28T23:55:00.000+01:00","release_date":"2025-12-29T00:00:00.000+01:00","updated_at":"2026-04-08T16:00:03.932+02:00","length":2233,"duration":2233,"thumb_url":"https://static.media.ccc.de/media/congress/2025/2274-c553ee23-bc27-585a-b8d0-d8fee999e75a.jpg","poster_url":"https://static.media.ccc.de/media/congress/2025/2274-c553ee23-bc27-585a-b8d0-d8fee999e75a_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2025/2274-c553ee23-bc27-585a-b8d0-d8fee999e75a.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2025/2274-c553ee23-bc27-585a-b8d0-d8fee999e75a.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/39c3-reverse-engineering-the-pixel-titanm2-firmware","url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_title":"39C3: Power Cycles","conference_url":"https://api.media.ccc.de/public/conferences/39c3","related":[],"recordings":[{"size":295,"length":2233,"mime_type":"video/webm;codecs=av01","language":"eng-deu","filename":"39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T17:35:54.598+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/av1-hd/39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/94875","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":null,"length":null,"mime_type":"text/vtt","language":"eng","filename":"2274-c553ee23-bc27-585a-b8d0-d8fee999e75a-eng.vtt","state":"auto","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2025-12-29T18:19:08.967+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/2274-c553ee23-bc27-585a-b8d0-d8fee999e75a-eng.vtt","url":"https://api.media.ccc.de/public/recordings/94915","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":347,"length":2233,"mime_type":"video/webm","language":"eng-deu","filename":"39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T17:36:10.537+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/webm-hd/39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/94877","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":125,"length":2233,"mime_type":"video/webm","language":"eng-deu","filename":"39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-12-29T17:36:00.156+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/webm-sd/39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/94876","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":34,"length":2233,"mime_type":"audio/mpeg","language":"eng","filename":"39c3-2274-eng-Reverse_engineering_the_Pixel_TitanM2_firmware_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-29T15:58:37.490+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/mp3/39c3-2274-eng-Reverse_engineering_the_Pixel_TitanM2_firmware_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/94823","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":20,"length":2233,"mime_type":"audio/opus","language":"eng","filename":"39c3-2274-eng-Reverse_engineering_the_Pixel_TitanM2_firmware_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-29T15:58:33.014+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/opus/39c3-2274-eng-Reverse_engineering_the_Pixel_TitanM2_firmware_opus.opus","url":"https://api.media.ccc.de/public/recordings/94822","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":34,"length":2233,"mime_type":"audio/mpeg","language":"deu","filename":"39c3-2274-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_mp3-2.mp3","state":"new","folder":"mp3-translated","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-29T15:32:46.488+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/mp3-translated/39c3-2274-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_mp3-2.mp3","url":"https://api.media.ccc.de/public/recordings/94802","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":128,"length":2233,"mime_type":"video/mp4","language":"eng-deu","filename":"39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-12-29T15:32:05.299+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-sd/39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_sd.mp4","url":"https://api.media.ccc.de/public/recordings/94801","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":22,"length":2233,"mime_type":"audio/opus","language":"deu","filename":"39c3-2274-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_opus-2.opus","state":"new","folder":"opus-translation","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-29T15:27:56.040+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/opus-translation/39c3-2274-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_opus-2.opus","url":"https://api.media.ccc.de/public/recordings/94800","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":531,"length":2233,"mime_type":"video/mp4","language":"eng-deu","filename":"39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T14:50:37.444+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2274-eng-deu-Reverse_engineering_the_Pixel_TitanM2_firmware_hd.mp4","url":"https://api.media.ccc.de/public/recordings/94712","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":408,"length":2233,"mime_type":"video/mp4","language":"deu","filename":"39c3-2274-deu-Reverse_engineering_the_Pixel_TitanM2_firmware.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T12:49:36.389+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2274-deu-Reverse_engineering_the_Pixel_TitanM2_firmware.mp4","url":"https://api.media.ccc.de/public/recordings/94702","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":408,"length":2233,"mime_type":"video/mp4","language":"eng","filename":"39c3-2274-eng-Reverse_engineering_the_Pixel_TitanM2_firmware.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T12:49:26.295+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2274-eng-Reverse_engineering_the_Pixel_TitanM2_firmware.mp4","url":"https://api.media.ccc.de/public/recordings/94701","event_url":"https://api.media.ccc.de/public/events/c553ee23-bc27-585a-b8d0-d8fee999e75a","conference_url":"https://api.media.ccc.de/public/conferences/39c3"}]}